TIAPS Module 1 Audit and Assurance workbook
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Risk management techniques can be applied to IT risks although specialist frameworks <strong>and</strong><br />
st<strong>and</strong>ards have been developed to define best practices <strong>and</strong> reflecting the complexity of the<br />
area. IT is subject to rapid development <strong>and</strong> service users (including staff to operate<br />
systems supported by IT) are likely to have high expectations. Customer online experiences<br />
of companies like Amazon reduce our tolerance of anything less effective or user-friendly.<br />
Internal auditors are expected to account for IT risks in every engagement.<br />
St<strong>and</strong>ard 2110 – Governance<br />
2110.A2 The internal audit activity must assess whether the information technology<br />
governance of the organization supports the organization’s strategies <strong>and</strong> objectives.<br />
St<strong>and</strong>ard 2120 – Risk Management<br />
2120.A1 The internal audit activity must evaluate risk exposures relating to the<br />
organization’s governance, operations, <strong>and</strong> information systems.<br />
St<strong>and</strong>ard 2130 – Control<br />
2130.A1 The internal audit activity must evaluate the adequacy <strong>and</strong> effectiveness of<br />
controls in responding to risks within the organization’s governance, operations, <strong>and</strong><br />
information systems. 64<br />
Internal auditors should identify IT risks within audits <strong>and</strong> evaluate the effectiveness of<br />
management responses to them. There should be appropriate expertise to enable the<br />
internal audit function to consider all IT risks, although not all auditors need to be specialists.<br />
Where the expertise is lacking within the team, the head of the function will need to draw on<br />
other sources to provide the desired level of assurance to senior management <strong>and</strong> the<br />
governing body. A risk management framework such as COSO Internal Control – Integrated<br />
Framework may be used to support auditors in developing audit objectives <strong>and</strong> plans,<br />
undertaking testing <strong>and</strong> analysis, <strong>and</strong> formulating conclusions. Specialist st<strong>and</strong>ards may also<br />
be used to guide the work of internal audit <strong>and</strong> serve as a benchmark for expected practice.<br />
There are two main classes of IT controls namely general controls <strong>and</strong> application controls.<br />
General controls operate at the most fundamental level <strong>and</strong> work to ensure the integrity of IT<br />
outputs. Application controls are fully automated <strong>and</strong> are designed to ensure correctness of<br />
processing throughout the system.<br />
64<br />
The International Professional Practice Framework, The Institute of Internal <strong>Audit</strong>ors, 2016<br />
65