TIAPS Module 1 Audit and Assurance workbook

More documents

Recommendations

Info

Class of IT Examples Controls General Controls • The organizational and IT control environments. • Technical-support policies and procedures. • Policies and processes for change management. • Procedures for source code/document version-control. • Standards for software development lifecycle. • Hardware/software configuration, installation, testing, management, standards, policies, and procedures. • Security policies, standards, and processes. • Procedures and policies for incident-management. • Procedures for back-up and disaster recovery. Application • Authentication. Controls • Authorization. • Change management. • Completeness checks. • Identification. • Input controls. • Problem management. • Validity checks. The relationships among the classification of IT controls are shown in the following graphic, adapted from GTAG: Information Technology Risks and Controls, The IIA, 2012 65 : Figure: Types of IT Controls 65 GTAG, Information Technology Risks and Controls, The IIA, 2012 66
IT controls may be manual, automated, or semi-automated. A useful article by AuditBoard makes the distinction clear: Automated controls are ideal in situations with high volume, uniform transactions. In this case, there is little need for manual intervention or judgment. Automated controls include the risk of relying on inaccurate systems and data or putting trust in an inappropriate automation algorithm. Manual controls are preferred when there is a need for human judgment. The need for manual controls often arises when there is a low volume of transactions that require discretion in deciding the outcome of the internal control process. Manual controls run the risk of human error and intentional override. A third control category also exists called semi-automated controls, sometimes referred to as IT-dependent controls. With this type of automated control, human intervention is still required, but the person’s action is dependent on the output for a system. 66 In addition, the process of testing controls can be automated with significant benefits, as described by EY: • Increased operational efficiency (compared with manual controls and risk compliance processes that may be “fragmented, siloed, and unsustainable.”) • Reduced compliance costs associated with the manual effort, time, and errors. • Improved controls assurance, allowing for high volume, high accuracy, and live insights. • Continuous controls improvement, making the shift “from controls testing as a compliance exercise to a value-added program.” 67 The advanced tools described in Module 2 Good Governance, Managerial Accountability, Developing Strategy, and Data Analysis section B.3.1, including data analytics, robotic process automation, artificial intelligence, machine learning, deep learning networks, and exploratory data analysis, can be used to enable automated controls testing. C.3.3 Cybersecurity IT is not just something that might fail through error, poor practice, and bad luck; it provides a target for deliberate and often malicious attacks. The IIA Cybersecurity Toolkit provides a checklist for undertaking cybersecurity audits of key areas to consider as part of the planning and testing stages. • Cybersecurity governance. (This is discussed in more detail in section A.4.) • Inventory of information assets (hardware, software, and data). 66 Automated Controls Testing and SOX Testing, AuditBoard, 2016. 67 Automated Controls Testing: a stepping-stone to the future of internal audit, EY, 2021. https://www.linkedin.com/pulse/automated-controls-testing-stepping-stone-future-internal-roffey/ 67
Page 1 and 2:
Module 1: Audit and Assurance TIAPS
Page 3 and 4:
Table of Contents Module 1: Audit a
Page 5 and 6:
Relevant Standards Reference is mad
Page 7 and 8:
• Close scrutiny. The activities
Page 9 and 10:
A.2 Public Sector Governance IIA In
Page 11 and 12:
The need for governance arises for
Page 13 and 14:
Although developed for government a
Page 15 and 16: A.3 Governance Models When evaluati
Page 17 and 18: defensive aspects to minimize negat
Page 19 and 20: A.3.3 CIPFA International Framework
Page 21 and 22: 8. Ensure that its arrangements for
Page 23 and 24: • Consideration of overlapping in
Page 25 and 26: A.3: Reflection Which model or mod
Page 27 and 28: Although they are related, the prin
Page 29 and 30: B.1.1 Independence, Objectivity, an
Page 31 and 32: B.1: Reflection Is it possible to
Page 33 and 34: According to The IIA Position Paper
Page 35 and 36: B.2: Reflection When was the last t
Page 37 and 38: When independence or objectivity ar
Page 39 and 40: B.4 Safeguards for Independence and
Page 41 and 42: In other cases, there is no audit c
Page 43 and 44: C. Assurance and Advisory Engagemen
Page 45 and 46: It is common to build an allowance
Page 47 and 48: The following list is taken from Sa
Page 49 and 50: helping managers developing control
Page 51 and 52: C.1.5 Internal Audit Opinions Audit
Page 53 and 54: Leadership and Communication Intern
Page 55 and 56: C.2 Auditing Governance The IIA Sup
Page 57 and 58: C.2: Reflection How does your inter
Page 59 and 60: Fraud may be perpetrated via measur
Page 61 and 62: circumstances (unethical and often
Page 63 and 64: Management Issues • Lack of area
Page 65: Risk management techniques can be a
Page 69 and 70: The IIA’s Cybersecurity Toolkit d
Page 71 and 72: C.3: Reflection Fraud: How are susp
Page 73 and 74: Global Perspectives and Insights -
Page 75: CIPFA: 77 Mansell Street, London E1
show all

TIAPS Module 1 Audit and Assurance workbook

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?