IIA - The Institute of Internal Auditors

GAIT for Business and IT Risk

What is GAIT for Business and IT Risk?
GAIT for Business and IT Risk, or GAIT-R, focuses on identifying the key controls that are essential to achieving business goals and objectives.

Who is it for?
GAIT-R was developed primarily for internal audit practitioners. It also can be used by IT governance and security managers or those who are charged with designing and managing IT risks within their organizations.

How Can it Help You?
GAIT-R improves the efficiency and effectiveness of internal audit functions by enabling a focus on business risk and minimizing attention to IT risks that are not critical to the organization. It enables chief audit executives (CAEs) to provide assurance on business risk with the comfort that IT-related issues are given the appropriate level of consideration.

Similarly to the other practice guides in the GAIT series, the GAIT-R methodology is built around a set of principles:

• The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business.
• Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls — including automated controls and IT general controls (ITGCs) — required to manage or mitigate business risk.
• Business risks are mitigated by a combination of manual and automated key controls.
• To assess the system of internal control to manage or mitigate business risks, key automated controls need to be assessed.
• ITGCs may be relied upon to provide assurance of the continued and proper operation of automated key controls.

This methodology also delivers a scope that is based on the risks to each identified business objective, which includes manual key controls within each business process; automated and hybrid key controls within each business process; key controls within ITGC processes; and controls at the entity level, including activities in the control environment, information and communication, and other layers of COSO's internal control model.

The Three Lines of Defense in Effective Risk Management and Control: Is Your Organization Positioned for Success?

“The Three Lines of Defense in Effective Risk Management and Control” è il nuovo Position Paper, edito dall'IIA, che fornisce le linee guida utili alla mitigazione dei rischi, con speciale riferimento alle organizzazioni che operano in un contesto di business in continua evoluzione, indipendentemente dalle dimensioni delle aziende o dal loro grado di avversione al rischio.In particolare, il documento:sottolinea le criticità del risk management, espletando le specifiche mansioni che dovrebbero essere assegnate e coordinate all’interno dell'organizzazione stessa;fornisce un modo semplice ed efficace per migliorare le attività di comunicazione in ambito di risk management e controllo. 

Alternative nella scelta di risorse per l'Internal Auditing

Questo documento è la traduzione del Position Paper "Resourcing alternatives for the Internal Audit Function", emesso dall'Institute of Internal Auditors e fa parte del IPPF.Lo scopo è di offrire delle linee guida e dei suggerimenti al Management, al Comitato per il Controllo Interno e al Responsabile Internal Auditing (RIA) sull'assegnazione di risorse dedicata all'attività di Internal Auditing e sulle possibili conseguenze che tale scelta comporta.Risultati empirici indicano che la maggior parte degli internal auditor concorda sull'opportunità di utilizzare l'outsourcing parziale. Tuttavia non c'è unanimità di opinione circa la corretta quantità di risorse esterne, per non parlare del criterio per quantificarle, poiché non è possibile rispondere ad una simile domanda senza considerare la dimensione, la natura e la complessità dell'organizzazione in cui l'attività di Internal Auditing si effettua. La propensione verso contratti di outsourcing completo delle risorse di Internal Auditing genera ulteriori quesiti in merito a come gestire l'attività.La pubblicazione in formato PDF è gratuita per tutti i soci che possono effettuare il download. Il documento, scaricabile gratuitamente per tutti i soci AIIA, è acquistabile in formato elettronico per tutti i non soci >>

N° 68 della newsletter "Tone at the Top" dell'IIA

Adottare un codice di condotta: elemento essenziale per un buon governo sia all'interno dell'organizzazione che con le terze parti conivolte.

Auditing Anti-Bribery and Anti-Corruption Programs

Increasing globalization, legal complexities, and the potential for serious financial and reputational harm have made the risks of bribery and corruption, and audits of anti-bribery and anti-corruption programs, top corporate issues. Auditing anti-bribery and anti-corruption programs requires a team of auditors with collective skills, knowledge, and expertise in compliance, fraud, investigations, regulatory affairs, IT, finance, culture, and ethics.On the global front, the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act are examples of strict legal regulations, each with far-reaching international implications. And evolving anti-bribery and anticorruption legislation in China, Hong Kong, India, and other countries (see page 17) is further complicating the matter. Private and public sector organizations are increasing awareness of bribery and corruption exposures and fighting back through international accords, regional conventions, best practice guides, and information on perceptions and instances of bribery and corruption.

N° 70 della newsletter "Tone at the Top" dell'IIA

Fornire informazioni precise al Management, al Board e agli Audit Committees circa tematiche di governance. Come operare?"Almost daily, we see news accounts of hackers breaking through firewalls and stealing data from major corporations. Placed on the defensive, most companies respond similarly: An alarmed public is told of plans to rectify the situation and protect customers."

N° 71 della newsletter "Tone at the Top" dell'IIA

The Tactful Skeptic: It’s not an oxymoron. There is an etiquette to skepticism, and every board member should know how to exercise skepticism respectfully, listen to management carefully, and not be afraid to “trust but verify.”

N° 73 della newsletter "Tone at the Top" dell'IIA

In today’s business environment, having an efficient and effective internal audit function is a true necessity. Internal auditing is among the cornerstones of effective organizational governance.