IPPF

GTAG 14 - Auditing User-developed Applications

Almost every organization uses some form of UDAs because they can be more easily developed, are less costly to produce, and can typically be changed with relative ease versus programs and reports developed by IT personnel. However, once end users are given freedom to extract, manipulate, summarize, and analyze their UDA data without assistance from IT personnel, end users inherit risks once controlled by IT. These risks include data integrity, availability, and confidentiality. Because management relies on UDAs, which can be a significant part of financial reporting and operational processes, as well as related decision making; the internal auditor must determine and review UDA risks and build an audit of UDAs into the annual internal audit plan as appropriate.

GTAG 14: Auditing User-developed Applications provides:

• Direction on how to scope an internal audit of UDAs.
• Guidance for how the internal auditor’s role as a consultant can be leveraged to assist management with developing an effective UDA control framework.
• Considerations that internal auditors should address when performing UDA audits.A sample UDA process flow as well as a UDA internal audit program and supporting worksheets to help internal auditors organize and execute an audit. 

GTAG 12 - Auditing IT Projects

Whether IT projects are developed in house or are co-sourced with third-party providers, they are filled with challenges that must be considered carefully to ensure success. Insufficient attention to these challenges can result in wasted money and resources, loss of trust, and reputation damage. Early involvement by internal auditors can help ensure positive results and the accompanying benefits. They can serve as a bridge between individual business units and the IT function, point out previously unidentified risks, and recommend controls for enhancing outcomes.

Auditing IT Projects provides an overview of techniques for effectively engaging with project teams and management to assess the risks related to IT projects. This GTAG includes:

• Key project management risks.
• How the internal audit activity can actively participate in the review of projects while maintaining independence.
• Five key components of IT projects for internal auditors to consider when building an audit approach.
• Types of project audits.
• A suggested list of questions for use in the IT project assessment.

GTAG 10 - Business Continuity Management

This GTAG focuses on how business continuity management (BCM) is designed to enable business leaders to manage the level of risk the organization could encounter in the case of a natural or man-made disruptive event that affects the extended operability of the organization.

Although most executives are likely to agree that BCM is a good idea, many will struggle to find the budget necessary to fund the program as well as an executive sponsor that has the time to ensure its success. Business Continuity Management will help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM program.

The guide includes:

• Disaster recovery planning for continuity of critical information technology infrastructure.
• Business application systems.

GTAG 9 - Identity and Access Management

Identity and access management (IAM) is a cross-functional process that helps organizations to manage who has access to what information over a period of time. Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability to determine whether company data is being misused.

CAEs should be involved in the development of the organization's IAM strategy as well as evaluate the implementation of the strategy and effectiveness of companywide access controls. The purpose of this GTAG is to provide insight into what IAM means to an organization and to suggest internal audit areas for investigation. It can assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes. A checklist for IAM review is also included in this guide

GTAG 8 - Auditing Application Controls

Each year, billions of dollars are spent globally on implementing new or upgrading business application systems. Effective application controls will help your organization to ensure the integrity, accuracy, confidentiality and completeness of your data and systems. It is important for the CAE and his or her team to develop and execute audits of application controls on a periodic basis in order to determine whether they are designed appropriately and operating effectively.

To further assist CAEs or other individuals who use this guide, we have also included a list of key application controls, a sample audit plan, and a list of some application control review tools.

GTAG 4 - Management of IT Auditing (2^ edizione)

Al fine di garantire ai CAE, e al loro gruppo di lavoro, un  aggiornamento continuo sulla tematica IT, l'Institute of Internal Auditors ha pubblicato la seconda edizione della GTAG 4: “Management of IT Auditing”.

Grazie alla nuova GTAG, i CAE hanno a disposizione le linee guida per una corretta gestione delle principali attività di Audit correlate all'Information Technology. Il documento pone particolare attenzione:

• all'individuazione delle risorse necessarie ai processi di IT Audit;
• alla valutazione dei rischi derivanti dalle attività di IT Audit;
• all'esecuzione corretta di tutte le fasi del processo di IT Audit.

GTAG 2 - Change and Patch Management Controls: Critical for Organizational Success (2^ edizione)

Ogni rischio IT contribuisce alla definizione del grado di rischio sottostante ai processi dell'impresa, ed è importante per il Chief Audit Executives (CAEs) affinchè possa capire a fondo le tematiche del change management e della gestione della patch.Esse sono definibili come l’insieme dei processi eseguiti all’interno della funzione IT, progettati per gestire i miglioramenti, gli aggiornamenti e le patch incrementali ai sistemi di produzione che includono: l’applicazione del code review, gli aggiornamenti del sistema (applicazioni, sistemi operativi e database) e le modifiche infrastrutturali (server, cavi, router, firewall, ecc).

Le tematiche discusse nel GTAG2 sono trattate con un linguaggio appropriato, che permette al CAE di fornire valore aggiunto alle conversazioni con il senior management, il board e il responsabile IT.Questa guide ti fornirà anche il know-how per:

• distinguere i processi di change management, tra efficaci e inefficaci;
• raccomandare le best practice per affrontare i temi oggetto d’interesse, sia per il risk assurance (compresi gli attestati di controllo), sia per aumentare l’efficacia e l’efficienza;
• consigliare in modo più efficace e convincente il Chief Information Officer, il Chief Executive Officer e/o il Chief Financial Officer;
• avere le competenze operative che ti permetteranno di migliorare i processi IT.

Auditing Anti-Bribery and Anti-Corruption Programs

Increasing globalization, legal complexities, and the potential for serious financial and reputational harm have made the risks of bribery and corruption, and audits of anti-bribery and anti-corruption programs, top corporate issues. Auditing anti-bribery and anti-corruption programs requires a team of auditors with collective skills, knowledge, and expertise in compliance, fraud, investigations, regulatory affairs, IT, finance, culture, and ethics.On the global front, the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act are examples of strict legal regulations, each with far-reaching international implications. And evolving anti-bribery and anticorruption legislation in China, Hong Kong, India, and other countries (see page 17) is further complicating the matter. Private and public sector organizations are increasing awareness of bribery and corruption exposures and fighting back through international accords, regional conventions, best practice guides, and information on perceptions and instances of bribery and corruption.