Information Technology

GTAG 4 - Management of IT Auditing (2^ edizione)

Al fine di garantire ai CAE, e al loro gruppo di lavoro, un  aggiornamento continuo sulla tematica IT, l'Institute of Internal Auditors ha pubblicato la seconda edizione della GTAG 4: “Management of IT Auditing”.

Grazie alla nuova GTAG, i CAE hanno a disposizione le linee guida per una corretta gestione delle principali attività di Audit correlate all'Information Technology. Il documento pone particolare attenzione:

• all'individuazione delle risorse necessarie ai processi di IT Audit;
• alla valutazione dei rischi derivanti dalle attività di IT Audit;
• all'esecuzione corretta di tutte le fasi del processo di IT Audit.

GTAG 2 - Change and Patch Management Controls: Critical for Organizational Success (2^ edizione)

Ogni rischio IT contribuisce alla definizione del grado di rischio sottostante ai processi dell'impresa, ed è importante per il Chief Audit Executives (CAEs) affinchè possa capire a fondo le tematiche del change management e della gestione della patch.Esse sono definibili come l’insieme dei processi eseguiti all’interno della funzione IT, progettati per gestire i miglioramenti, gli aggiornamenti e le patch incrementali ai sistemi di produzione che includono: l’applicazione del code review, gli aggiornamenti del sistema (applicazioni, sistemi operativi e database) e le modifiche infrastrutturali (server, cavi, router, firewall, ecc).

Le tematiche discusse nel GTAG2 sono trattate con un linguaggio appropriato, che permette al CAE di fornire valore aggiunto alle conversazioni con il senior management, il board e il responsabile IT.Questa guide ti fornirà anche il know-how per:

• distinguere i processi di change management, tra efficaci e inefficaci;
• raccomandare le best practice per affrontare i temi oggetto d’interesse, sia per il risk assurance (compresi gli attestati di controllo), sia per aumentare l’efficacia e l’efficienza;
• consigliare in modo più efficace e convincente il Chief Information Officer, il Chief Executive Officer e/o il Chief Financial Officer;
• avere le competenze operative che ti permetteranno di migliorare i processi IT.

GTAG 1 - Information Technology Controls (2^ edizione)

La guidance, con uno stile semplice e di facile lettura, aiuta i Chief Audit Executive (CAEs) e i loro team a tenere il passo con il mondo dell'IT, talvolta complesso e in continua evoluzione. Di fatto, la GTAG:

• fornisce una panoramica sui rischi connessi ai processi IT e ai relativi controlli, in modo da fornire, sia al senior management che all’audit committee, maggiori garanzie nell'individuazione di una migliore valutazione del grado del rischio e del necessario livello di controllo;
• assicura al CAE e agli Internal Auditor una maggiore consapevolezza del rischio, del controllo, e della governance relativa ai processi IT;
• aiuta gli Internal Auditor ad accrescere la confidenza con gli IT general control, in modo che possano tranquillamente comunicare con il proprio Audit Committee e dialogare attivamente con il Chief Information Officer (CIO) e con il responsabile della funzione Internal Audit sui rischi e controlli di processo;
• descrive come gli organi sociali, il management, i professionisti dell’IT e gli Internal Auditors affrontano i temi dell’IT e i relativi rischi;
• pone le basi per le successive GTAG inerenti specifici argomenti IT, ruoli aziendali associati e responsabilità più dettagliate.

GAIT Methodology

What is GAIT Methodology?
GAIT Methodology is a guide to assessing the scope of IT general controls using a top-down and risk-based approach.

Who is it for?
Management and external auditors can use this guide in their identification of key controls within IT general controls as part of and a continuation of their top-down and risk-based scoping of key controls for internal control over financial reporting.

How Can it Help You?
The IIA developed this guidance to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement. More specifically, this methodology enables management and auditors to identify key IT general controls as part of and as a continuation of the company's top-down, risk-based scoping efforts for Section 404 compliance.

If a failure is likely, the methodology identifies the IT general control process risks in detail and the related IT general control objectives that, when achieved, mitigate these risks. CobiT and other methodologies then can be used to identify the key controls that address these IT general control objectives.

The Principles
The four principles that form the basis for the methodology are consistent with the methodology described in the Public Company Accounting Oversight Board's Auditing Standard No. 5. They are:

• The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
• The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
• The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
• Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.

GAIT Methodology enables organizations to implement the principles and gives management and auditors guidance around scoping IT general controls and the tools to defend these decisions.

GAIT for Business and IT Risk

What is GAIT for Business and IT Risk?
GAIT for Business and IT Risk, or GAIT-R, focuses on identifying the key controls that are essential to achieving business goals and objectives.

Who is it for?
GAIT-R was developed primarily for internal audit practitioners. It also can be used by IT governance and security managers or those who are charged with designing and managing IT risks within their organizations.

How Can it Help You?
GAIT-R improves the efficiency and effectiveness of internal audit functions by enabling a focus on business risk and minimizing attention to IT risks that are not critical to the organization. It enables chief audit executives (CAEs) to provide assurance on business risk with the comfort that IT-related issues are given the appropriate level of consideration.

Similarly to the other practice guides in the GAIT series, the GAIT-R methodology is built around a set of principles:

• The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business.
• Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls — including automated controls and IT general controls (ITGCs) — required to manage or mitigate business risk.
• Business risks are mitigated by a combination of manual and automated key controls.
• To assess the system of internal control to manage or mitigate business risks, key automated controls need to be assessed.
• ITGCs may be relied upon to provide assurance of the continued and proper operation of automated key controls.

This methodology also delivers a scope that is based on the risks to each identified business objective, which includes manual key controls within each business process; automated and hybrid key controls within each business process; key controls within ITGC processes; and controls at the entity level, including activities in the control environment, information and communication, and other layers of COSO's internal control model.

CAE Program - L’Internal Audit Analytics verso l’Artificial Intelligence

THE SECURITY INTELLIGENCE CENTER Next Steps: Beyond Response to Anticipation

Audit Tools per l’Internal Audit: Testimonianze e Ricerche sul campo