TIAPS Module 1 Audit and Assurance workbook

More documents

Recommendations

Info

C.3.2 Information Technology IIA Internal Audit Competency Framework Information Technology: General Awareness: Describe the basic concepts of IT and data analytics. Describe the various risks related to IT, information security, and data privacy. Recognize the purpose and applications of IT control frameworks and basic IT controls. Applied Knowledge: Apply data analytics and IT in auditing. Identify and assess various risks related to IT, information security, and data privacy. Apply IT control frameworks. Expert: Evaluate the use of data analytics and IT in auditing. Recommend actions to address IT risks, information security, and data privacy. Evaluate the use of IT control frameworks. 63 IT audit is no longer the exclusive preserve of specialists. Information technology is utilized universally across departments and forms a part of most procedures. Hence, all internal auditors need to be able to recognize IT risks and evaluate the effectiveness of controls. IT creates many opportunities and threats for organizations. It is used as a tool to provide services to clients and support routine operations including controls. IT usage includes: • Routine storage, access, and manipulation of large amounts of data, presenting potential issues for data privacy and protection. • Wide usage and availability of mobile phones, tablets, laptops, memory sticks with huge storage capacity, and other personal devices. • Ready access to “big data” and the potential for continuous auditing. • The increasing use of data analytics • Social media for personal and business use. • Cloud computing for flexible storage and access. • Blockchain. • Artificial intelligence, machine learning, and virtual reality. • Online receipts, payments, and banking. IT tools and techniques are also available for internal auditors to assist with planning, communication, testing, remote observation, analysis, and follow up. (This is covered in more detail in T2: Good Governance, Managerial Accountability, Developing Strategy, and Data Analysis.) IT creates key risk areas for organization including: • Compliance risks (especially for data privacy and protection). • Reputational damage and erosion of trust by citizens, service users, vendors, donor organizations, and others. • Financial penalties. • Operational disruption. • Skills gaps and shortages. 63 Internal Audit Competency Framework, The IIA, 2022. 64
Risk management techniques can be applied to IT risks although specialist frameworks and standards have been developed to define best practices and reflecting the complexity of the area. IT is subject to rapid development and service users (including staff to operate systems supported by IT) are likely to have high expectations. Customer online experiences of companies like Amazon reduce our tolerance of anything less effective or user-friendly. Internal auditors are expected to account for IT risks in every engagement. Standard 2110 – Governance 2110.A2 The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives. Standard 2120 – Risk Management 2120.A1 The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems. Standard 2130 – Control 2130.A1 The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems. 64 Internal auditors should identify IT risks within audits and evaluate the effectiveness of management responses to them. There should be appropriate expertise to enable the internal audit function to consider all IT risks, although not all auditors need to be specialists. Where the expertise is lacking within the team, the head of the function will need to draw on other sources to provide the desired level of assurance to senior management and the governing body. A risk management framework such as COSO Internal Control – Integrated Framework may be used to support auditors in developing audit objectives and plans, undertaking testing and analysis, and formulating conclusions. Specialist standards may also be used to guide the work of internal audit and serve as a benchmark for expected practice. There are two main classes of IT controls namely general controls and application controls. General controls operate at the most fundamental level and work to ensure the integrity of IT outputs. Application controls are fully automated and are designed to ensure correctness of processing throughout the system. 64 The International Professional Practice Framework, The Institute of Internal Auditors, 2016 65
Page 1 and 2:
Module 1: Audit and Assurance TIAPS
Page 3 and 4:
Table of Contents Module 1: Audit a
Page 5 and 6:
Relevant Standards Reference is mad
Page 7 and 8:
• Close scrutiny. The activities
Page 9 and 10:
A.2 Public Sector Governance IIA In
Page 11 and 12:
The need for governance arises for
Page 13 and 14: Although developed for government a
Page 15 and 16: A.3 Governance Models When evaluati
Page 17 and 18: defensive aspects to minimize negat
Page 19 and 20: A.3.3 CIPFA International Framework
Page 21 and 22: 8. Ensure that its arrangements for
Page 23 and 24: • Consideration of overlapping in
Page 25 and 26: A.3: Reflection Which model or mod
Page 27 and 28: Although they are related, the prin
Page 29 and 30: B.1.1 Independence, Objectivity, an
Page 31 and 32: B.1: Reflection Is it possible to
Page 33 and 34: According to The IIA Position Paper
Page 35 and 36: B.2: Reflection When was the last t
Page 37 and 38: When independence or objectivity ar
Page 39 and 40: B.4 Safeguards for Independence and
Page 41 and 42: In other cases, there is no audit c
Page 43 and 44: C. Assurance and Advisory Engagemen
Page 45 and 46: It is common to build an allowance
Page 47 and 48: The following list is taken from Sa
Page 49 and 50: helping managers developing control
Page 51 and 52: C.1.5 Internal Audit Opinions Audit
Page 53 and 54: Leadership and Communication Intern
Page 55 and 56: C.2 Auditing Governance The IIA Sup
Page 57 and 58: C.2: Reflection How does your inter
Page 59 and 60: Fraud may be perpetrated via measur
Page 61 and 62: circumstances (unethical and often
Page 63: Management Issues • Lack of area
Page 67 and 68: IT controls may be manual, automate
Page 69 and 70: The IIA’s Cybersecurity Toolkit d
Page 71 and 72: C.3: Reflection Fraud: How are susp
Page 73 and 74: Global Perspectives and Insights -
Page 75: CIPFA: 77 Mansell Street, London E1
show all

TIAPS Module 1 Audit and Assurance workbook

Create successful ePaper yourself

Delete template?

Save as template?