TIAPS Module 1 Audit and Assurance workbook
• Standard security configurations (following best practices for key items of hardware and software). • Information access management (appropriate for each layer, i.e., application user, developer, administrator). • Proactive and preventive controls (e.g., malware detection, vulnerability scanning, penetration testing, and data encryption). • Response and remediation. 68 Cybersecurity is a key element of IT risk and focuses on how an organization protects its information assets (computers, networks, programs, and data) through the use of various technologies, processes, and practices. Cybersecurity risks arise in the context of access, damage, and alteration to, and availability, control, theft, and distribution of, these assets. As with the management of fraud and IT risks, cybersecurity can be considered in the context of more general frameworks as well as specialized models. The guide to COSO in the Cyber Age uses the COSO Internal Control – Integrated Framework as the basis for a review of cybersecurity risks and how internal audit may review these. COSO Internal Questions for Internal Audit to Consider Control Element Control Environment • Does the board of directors understand the organization’s cyber risk profile and are they informed of how the organization is managing the evolving cyber risks management faces? Risk Assessment • Has the organization and its critical stakeholders evaluated its operations, reporting, and compliance objectives and gathered information to understand how cyber risk could impact such objectives? Control Activities • Has the entity developed control activities, including general control activities over technology, that enable the organization to manage cyber risk within the level of tolerance acceptable to the organization? • Have such control activities been deployed through formalized policies and procedures? Information and Communication • Has the organization identified information requirements to manage internal control over cyber risk? • Has the organization defined internal and external communication channels and protocols that support the functioning of internal control? • How will the organization respond to, manage, and communicate a cyber risk event? Monitoring Activities • How will the organization select, develop, and perform evaluations to ascertain the design and operating effectiveness of internal controls that address cyber risks? • When deficiencies are identified how are these deficiencies communicated and prioritized for corrective action? • What is the organization doing to monitor their cyber risk profile? 69 68 Cybersecurity Toolkit, The IIA, 2021 69 COSO In the Cyber Age, COSO, 2015 68
The IIA’s Cybersecurity Toolkit describes internal audit’s contribution to cybersecurity governance through consideration of the main components of a governance model, as follows: • Board-level oversight: Confirm that the board of directors sees regular reporting on cybersecurity risks and risk mitigation activities. • Policies and procedures: Verify whether significant processes described below are adequately covered in policies and procedures, and whether the guidance has been reauthorized within a reasonable time period. • Risk management: Determine whether management has conducted a comprehensive cyber risk assessment, covering all geographic areas of operation, business lines, etc. • Records and information management: Verify whether system architecture and data flow documentation is complete, accurate, and consistently retained. • Compliance: Determine whether IT and IS leaders have identified relevant external requirements and implemented controls to ensure the organization meets the standards • Data classification: Confirm that a classification scheme has been defined and is recorded for all systems and databases. • Vendor management: Verify whether third-party risks have been assessed, and whether vendors that store or process sensitive data are subject to sufficient contractual, oversight, and technical controls. • Management reporting: Determine whether KPIs or KRIs have been defined for cybersecurity, and whether reporting is accurate and actionable. • Personnel: Determine whether IT and IS staffing is sufficient and has the expertise to deploy security tools and enforce policies. 70 The IIA series Global Perspectives and Insights provides a three-part guidance on cybersecurity. Among other things, the guidance emphasizes the importance of a collaborative approach to cybersecurity in which the internal auditor has an important role, placing particular importance on the relationship between internal audit and the senior manager charged with information security. Oversight by the governing body is also critical. 71 70 Cybersecurity Toolkit, The IIA, 2021. 71 Global Perspectives and Insights – Cybersecurity in 2022, Parts 1-3, The IIA, 2022. 69
- Page 17 and 18: defensive aspects to minimize negat
- Page 19 and 20: A.3.3 CIPFA International Framework
- Page 21 and 22: 8. Ensure that its arrangements for
- Page 23 and 24: • Consideration of overlapping in
- Page 25 and 26: A.3: Reflection Which model or mod
- Page 27 and 28: Although they are related, the prin
- Page 29 and 30: B.1.1 Independence, Objectivity, an
- Page 31 and 32: B.1: Reflection Is it possible to
- Page 33 and 34: According to The IIA Position Paper
- Page 35 and 36: B.2: Reflection When was the last t
- Page 37 and 38: When independence or objectivity ar
- Page 39 and 40: B.4 Safeguards for Independence and
- Page 41 and 42: In other cases, there is no audit c
- Page 43 and 44: C. Assurance and Advisory Engagemen
- Page 45 and 46: It is common to build an allowance
- Page 47 and 48: The following list is taken from Sa
- Page 49 and 50: helping managers developing control
- Page 51 and 52: C.1.5 Internal Audit Opinions Audit
- Page 53 and 54: Leadership and Communication Intern
- Page 55 and 56: C.2 Auditing Governance The IIA Sup
- Page 57 and 58: C.2: Reflection How does your inter
- Page 59 and 60: Fraud may be perpetrated via measur
- Page 61 and 62: circumstances (unethical and often
- Page 63 and 64: Management Issues • Lack of area
- Page 65 and 66: Risk management techniques can be a
- Page 67: IT controls may be manual, automate
- Page 71 and 72: C.3: Reflection Fraud: How are susp
- Page 73 and 74: Global Perspectives and Insights -
- Page 75: CIPFA: 77 Mansell Street, London E1
• St<strong>and</strong>ard security configurations (following best practices for key items of hardware<br />
<strong>and</strong> software).<br />
• Information access management (appropriate for each layer, i.e., application user,<br />
developer, administrator).<br />
• Proactive <strong>and</strong> preventive controls (e.g., malware detection, vulnerability scanning,<br />
penetration testing, <strong>and</strong> data encryption).<br />
• Response <strong>and</strong> remediation. 68<br />
Cybersecurity is a key element of IT risk <strong>and</strong> focuses on how an organization protects its<br />
information assets (computers, networks, programs, <strong>and</strong> data) through the use of various<br />
technologies, processes, <strong>and</strong> practices. Cybersecurity risks arise in the context of access,<br />
damage, <strong>and</strong> alteration to, <strong>and</strong> availability, control, theft, <strong>and</strong> distribution of, these assets.<br />
As with the management of fraud <strong>and</strong> IT risks, cybersecurity can be considered in the<br />
context of more general frameworks as well as specialized models. The guide to COSO in<br />
the Cyber Age uses the COSO Internal Control – Integrated Framework as the basis for a<br />
review of cybersecurity risks <strong>and</strong> how internal audit may review these.<br />
COSO Internal Questions for Internal <strong>Audit</strong> to Consider<br />
Control Element<br />
Control Environment • Does the board of directors underst<strong>and</strong> the organization’s<br />
cyber risk profile <strong>and</strong> are they informed of how the organization<br />
is managing the evolving cyber risks management faces?<br />
Risk Assessment • Has the organization <strong>and</strong> its critical stakeholders evaluated its<br />
operations, reporting, <strong>and</strong> compliance objectives <strong>and</strong> gathered<br />
information to underst<strong>and</strong> how cyber risk could impact such<br />
objectives?<br />
Control Activities • Has the entity developed control activities, including general<br />
control activities over technology, that enable the organization<br />
to manage cyber risk within the level of tolerance acceptable to<br />
the organization?<br />
• Have such control activities been deployed through formalized<br />
policies <strong>and</strong> procedures?<br />
Information <strong>and</strong><br />
Communication<br />
• Has the organization identified information requirements to<br />
manage internal control over cyber risk?<br />
• Has the organization defined internal <strong>and</strong> external<br />
communication channels <strong>and</strong> protocols that support the<br />
functioning of internal control?<br />
• How will the organization respond to, manage, <strong>and</strong><br />
communicate a cyber risk event?<br />
Monitoring Activities • How will the organization select, develop, <strong>and</strong> perform<br />
evaluations to ascertain the design <strong>and</strong> operating effectiveness<br />
of internal controls that address cyber risks?<br />
• When deficiencies are identified how are these deficiencies<br />
communicated <strong>and</strong> prioritized for corrective action?<br />
• What is the organization doing to monitor their cyber risk<br />
profile? 69<br />
68<br />
Cybersecurity Toolkit, The IIA, 2021<br />
69<br />
COSO In the Cyber Age, COSO, 2015<br />
68
Change language