Iiav7ce Part3

License Agreement for The IIA’s CIA®
Challenge Exam Study Guide

STUDENT MATERIALS
By opening and using The IIA’s CIA® Challenge Exam Study

Guide student materials (the “Materials”), the user (“User”)
hereby agrees as follows:
(i) That The Institute of Internal Auditors is the

exclusive copyright owner of the Materials.
(ii) Provided that the required fee for use of the

Materials by User has been paid to The IIA or its agent,
User has the right, by this License, to use the Materials
solely for his/her own educational use.
(iii) User has no right to print or make any copies, in

any media, of the materials, or to sell, or sublicense, loan,
or otherwise convey or distribute these materials or any
copies thereof in any media.
The IIA’s CIA® Challenge Exam Study
Guide
The IIA’s CIA® Challenge Exam Study Guide is based on
select portions of the Certified Internal Auditor® (CIA®)
syllabus developed by The IIA. However, program
developers do not have access to the exam questions.
Therefore, while the study guide is a good tool for study,
reading the text does not guarantee a passing score on the
CIA exam.
Every effort has been made to ensure that all information is

current and correct. However, laws and regulations change,
and these materials are not intended to offer legal or
professional services or advice. This material is consistent
with the revised Standards of the International Professional
Practices Framework (IPPF) introduced in July 2015, effective
in 2017.
Copyright
These materials are copyrighted; it is unlawful to copy all or
any portion. Sharing your materials with someone else will
limit the program’s usefulness. The IIA invests significant
resources to create quality professional opportunities for its
members. Please do not violate the copyright.
Acknowledgments
The IIA would like to thank the following dedicated subject
matter experts who shared their time, experience, and
insights during development and subsequent updates.
Subject matter experts

Farah George Araj, CPA, Jayson Walter Kwasnik,
CIA, CFE, QIAL, Australia CIA, CPA, CA, Canada
Scott Blankenship, CIA, Jessica Minshew, CIA,
CRMA, CPA, CFE, United United States Joanne F.
States Melissa Clawson, Prakapas, CIA, CRMA,
CIA, CRMA, United States CFE, CPA, CFF, United
Christy Decker-Weber, States James M.
CIA, CRMA, CPA, CFE, Reinhard, CIA, United
CHIAP States Elizabeth
Sandwith, CFIIA, United
Kingdom
Past subject matter experts

Pat Adams, CIA Al Marcella, PhD, CISA,
Terry Bingham, CIA, CISA, CCSA Markus Mayer, CIA
CCSA Raven Catlin, CIA, Vicki A. McIntyre, CIA,
CPA, CFSA Patrick CFSA, CRMA, CPA Gary
Copeland, CIA, CRMA, Mitten, CIA, CCSA Lynn
CISA, CPA Don Espersen, Morley, CIA, CGA
CIA Lyndon Remias, CIA
Michael J. Fucilli, CIA, QIAL, James Roth, PhD, CIA,
CRMA, CGAP, CFE CCSA Brad Schwieger,
James D. Hallinan, CIA, CPA, DBA Doug
CPA, CFSA, CBA Larry Ziegenfuss, PhD, CIA,
Hubbard, CIA, CCSA, CCSA, CPA, CMA, CFE,
CPA, CISA Jim Key, CIA CISA, CGFM, CR.FA., CIT
David Mancina, CIA, CPA

Part 3: Business
Knowledge for Internal
Auditing
This part of The IIA’s CIA Challenge Exam Study Guide

focuses on key areas of knowledge that can help internal
auditors with audit engagements. Some subjects will be
directly applicable to any internal audit activity, such as
examining risk and control implications of different
organizational structures or project management.
Knowledge in subjects such as strategic planning, global
business environments, or information security can also
help the internal auditor to demonstrate to stakeholders
that he or she has a firm understanding of the
organization’s business practices and industry environment.
Internal auditors who are perceived as having business

savvy and organizational familiarity will be in a position to
deliver value and insight. Decision makers may place more
weight on recommendations that are sensitive to the
organization’s strategy and the complexities of its global
challenges.
In brief, the sections in Part 3 are as follows:
Section A: Business Acumen. Strategic planning

process, organizational structure, business processes, and
project management.
Section B: Data Analytics. Data analytics types,

governance methods, frameworks, processes, and use in
internal auditing.
Section C: Information Technology and Security.

Information security controls, data privacy laws and their
potential impact, emerging technology practices, existing
and emerging cybersecurity risks, security-related
policies, the systems development life cycle (SDLC) and
delivery, change controls, and IT control frameworks.
Section A: Business Acumen

This section is designed to help you:

Describe the strategic planning process and key
activities.
Define objective setting.
Identify globalization and competitive considerations.
Explain the process of aligning strategic planning to the
organization’s mission and values.
Appraise the risk and control implications of different
organizational structures and common business
processes.
Identify project management techniques.
According to The IIA

The IIA’s guidance referenced in the Challenge Exam
Study Guide may be accessed using the links below.
Access to specific pages and documents varies for the
public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-
standards
Performance Standards:
www.theiia.org/Performance-standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance:
www.theiia.org/Practiceadvisories
Practice Guides and GTAGs:
www.theiia.org/Practiceguides
In a tightly competitive market, customers demand more for

less and have access to multiple sources of quality goods
and services at competitive prices. Organizations are
examining every business process to improve quality and
performance to address these rising customer expectations.
Also, a key long-term benefit of investing in quality is that
organizations have a strong potential to improve their
revenue/profit due to repeat business from loyal customers.
This section will examine a number of different techniques
and concepts that organizations can use to help them
analyze business process performance and be more
competitive.
Topic 1: Strategy, Globalization,

and Audit Alignment
This topic addresses an organization’s strategic planning
process and setting strategic objectives, globalization and
competitive considerations, and aligning audit subjects to
the organization’s mission and values.
Objective and Strategy Setting

An organization’s objectives define what the organization
wants to achieve, and its ongoing success depends on the
accomplishment of its objectives. For most organizations, a
primary blanket objective is to enhance stakeholder value.
Objectives also indicate what is expected from a
governance, risk management, and internal control
perspective. At the highest level, these objectives are
reflected in the organization’s mission and vision
statements. To get buy-in, a best practice is to get input
from people at all organizational levels when developing or
updating these statements.
The mission statement is a broad expression of what the
organization wants to achieve in the present. The mission
statement:
Needs to clearly indicate the organization’s purpose—its

reason for being and how it proposes to add value for its
customers and other stakeholders.
Serves as a day-to-day charge to the people in the

organization to achieve this purpose.
The vision statement conveys what the organization

aspires to achieve or become in the future. It represents the
highest aspirational view and goals of an organization in the
context of serving and adding value to its stakeholders.
Mission and vision statements are used to guide the

development of strategic objectives and to perform
strategic planning, which results in strategic plans.
Strategic Objectives, Strategic Planning, and

Strategic Plans
Because strategic objectives and strategic planning are so
critical to an organization’s success and growth, this is a key
area to consider as part of the audit universe.
Strategic objectives are desired outcomes set by
management that specifically relate to stakeholder value
enhancement, especially over the long term. They help
define how the organization intends to create a competitive
advantage. (Examples of competitive advantage are
addressed below.) Strategic objectives could relate to
innovation, growth, cost control, investment in the
organization’s people, social responsibility, and so on.
Strategic objectives are reflected in the organization’s
strategic planning process and plans.
Strategic planning is a disciplined upper management

and board-level future-oriented process that determines the
direction the organization will take to achieve strategic
objectives over the long term given the changing business
environment. Strategic planning helps the organization
determine what type it wants to be, who it serves, and why.
Strategic planning involves:
Evaluating changes in the environment, such as the
economy or competitor actions, and then determining how
to create a competitive advantage in this environment.
Gathering input from multiple stakeholders.
Innovating and brainstorming, followed by feasibility
analysis of ideas.
Coming to agreement on priorities and initiatives for the
best use of limited resources.
Ensuring alignment of strategic objectives with the
organization’s mission and vision.
Determining the desired end result, how to get there (in
broad terms), and how to determine if the strategy is
successful (defining specific and measurable results).
Documenting the results of this process in the
organization’s strategic plans.
Strategic plans are high-level, long-term plans for multiple

years into the future:
They are a valuable communications tool and set the tone
for proper governance.
They are an important input or subject for many
assurance and consulting engagements:
Understanding of the strategy, key business objectives,
associated risks, and risk management processes is vital
for setting the context for most engagements.
Assurance engagements often check that plans and
objectives for the audit area align with and integrate
into top-level plans.
Assurance engagements may verify that the
organization’s strategy aligns with its risk appetite.
Assurance engagements related to strategic plans may
need to verify that the plan is effectively communicated.
Consulting engagements related to improving the
strategy or strategic planning may assess whether the
organization has a sound strategy and/or strategic
planning process.
The chief audit executive (CAE) must consult with the

entity’s board and senior management to obtain an
understanding of the organization’s strategy and must
revise the risk-based annual audit plan as needed to reflect
changes in the organization’s business.
An organization’s strategic plans need to reflect global and

competitive considerations in order to create a competitive
advantage. This is discussed more next.
Global and Competitive Considerations

An organization sets a strategy to determine not only what
type of organization it wants to be but also how such an
organization will be likely to thrive in its environment. It
might, for example, want to be an agile organization that
adapts well to changes or a large organization that can offer
economies of scale and low prices. The organization’s
success in its strategy depends not only on the successful
execution of the strategy but also on the opportunities and
risks that exist in the organization’s environment.
Globalization has expanded most organizations’

environments to include access to larger potential customer
bases at relatively low costs (opportunities), but this also
results in more potential competitors from around the world
(risks). The organization will likely have some competitive
advantages, which are relative advantages one organization
(or nation) has over its competitors. Here are some potential
sources of competitive advantage:
Labor market. Access to low-cost labor, high-skill labor, a

wide labor pool.
Suppliers and raw materials. Access to materials at

favorable prices, good or long-term relationships with
suppliers, some degree of ownership or control of (or
independence from) suppliers, supplier proximity.
Customer base. Established customer base/market

share, loyal and satisfied customers.
Process and methodology maturity. Risk, control,

quality, change management, manufacturing, or other
frameworks; maturity level and difficulty in achieving that
level of maturity.
Supply chain and transportation. Relative cost and

speed of supply chain, number of options for and level of
convenience to customers.
Competitor maturity and ease of market entry.

Relative number of competitors, competitor sophistication,
capital investment needed to become a viable competitor.
Technology. Labor-saving or insight-generating

technology, proprietary technology.
Regional economy and politics; culture, legal, and

regulatory environment. Regional economic prosperity,
favorable politics and taxation, culture that promotes
good values such as hard work or innovation, favorable
laws and regulations.
Successful strategies leverage the organization’s

competitive advantages relative to its competitors.
However, competitors’ strategies will likely rely on their own
competitive advantages. The organization’s strategy seeks
to:
Leverage relative strengths and mitigate relative
weaknesses in order to access opportunities (e.g., online,
locally, or globally).
Minimize the likelihood or impact of risks, including
competitors taking market share.
Internal auditors may be in a position to evaluate if the

organization is accurately assessing the current state of its
strengths and weaknesses relative to changes in
globalization and the competition. This may include
assessing whether the organization is altering its strategy
fast enough to survive and thrive when such factors are
changing quickly.
Mission and Value Alignment

Part of the organization’s mission will be to provide and add
value to stakeholders; another part will be to state and live
up to the organization’s values.
Organizations may align their mission with their values and

ethics by creating corporate social responsibility (CSR) or
sustainability programs. The basic concept is that
organizations are not responsible for just short-term
financial results; they are also responsible to their workers,
to communities, and to the environment. Internal auditors
may audit sustainability programs. For more information on
CSR, review The IIA’s Practice Guide “Evaluating Corporate
Social Responsibility/Sustainable Development.”
Operations, Reporting, and

Compliance Objectives
Beneath the level of strategic objectives are many more
detailed tactical and operational objectives that enable the
strategy to succeed. COSO’s Internal Control—Integrated
Framework, which is used by organizations to evaluate
internal controls, identifies three categories of such
objectives: operations, reporting, and compliance. The
framework depicts the relationship between these
objectives, the control components, and the organization’s
layers in the form of a cube, as shown in Exhibit 3-1. Each
side of the cube relates to and influences the other sides.
Exhibit 3-1: COSO’s Internal Control Framework
The entity structure, which represents the overall entity,

divisions, subsidiaries, and so on, is depicted as one side of
the cube to show how the other sides of the cube apply to
various organizational levels and become more granular.
The rows represent the five components required for

adequate governance, risk management, and internal
control: the control environment, risk assessment, control
activities, information and communication, and monitoring
activities. These components relate to the organization’s
strategy. For example:
The control environment includes the organization’s
values, attitudes, and ethics, which all influence the
organization’s strategy.
The risk assessment component helps shape strategy by
weighing the pros and cons of competing strategies.
The columns represent the operations, reporting, and

compliance objectives:
Operations objectives relate to the effectiveness and
efficiency of operations, including but not limited to
operational and financial performance goals and
safeguarding of assets.
Reporting objectives relate to financial and nonfinancial
reporting, both internal and external, and may include
reliability, timeliness, transparency, completeness, or
other terms as identified by the standards setters,
regulators, or policies of the entity.
Compliance objectives relate to the laws, regulations,
policies, and procedures to which the entity is subject and
the entity’s adherence to the same. Subcategories may
include compliance with contracts, industry standards and
best practices, and internal policy.
Note that the categories are distinct but often overlap. An

objective may address more than one need or responsibility
or may relate to different segments of the business or
different individuals.
Topic 2: Organizational
Structure Risk and Control
This topic helps internal auditors appraise the risk and
control implications of different organizational structures, for
example, centralized versus decentralized structures or
traditional hierarchical versus flat structures.
Organizational Structure and the

Control Environment
Organizational structure is the organization’s formal
decision-making framework and its way of organizing
authority, responsibilities, and performance activities. In the
context of organizational structure:
Chain of command refers to the line of authority in the
organization.
Span of control refers to the number of employees who
report to an individual in the chain of command.
Organizational structure is part of an organization’s control

environment. The IPPF glossary defines control
environment as follows:
The attitude and actions of the board and

management regarding the importance of control
within the organization. The control environment
provides the discipline and structure for the
achievement of the primary objectives of the
system of internal control. The control environment
includes the following elements:
Integrity and ethical values.
Management’s philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.
When auditing the control environment, internal auditors

review organizational structure to see if it effectively fulfills
the organization’s governance and business objectives.
Key Point

Organizational structure plays an important role in how
controls may or may not work. The key consideration is
what impact the structure would have on an auditable
area. What strengths and weaknesses does the structure
create?
The introduction to The IIA’s International Standards for the

Professional Practice of Internal Auditing states, “Internal
auditing is performed in diverse environments and within
organizations that vary in purpose, size, and structure” and
that such “differences may affect the practice of internal
auditing in each environment,” before going on to highlight
the mandatory nature of the Standards regardless of these
differences.
Understanding and documenting the structure of an

organization or one of its subdivisions is a preparatory step
for an audit engagement.
Each structure will have different risks and will need

specialized controls. For example, a decentralized structure
may have higher risks related to synchronizing
organizational goals. Controls requiring process approvals
may require more creativity to implement—such as by
getting buy-in from autonomous managers and using
automated control processes to get compliance without
undue hardship or delay
When internal auditors show sensitivity to the organizational

structure in their workpapers, findings, and
recommendations, it helps prove that they understand the
area being audited and have tailored their engagements
and findings to the needs and realities of the area. In short,
understanding organizational structures is part of showing
competence and adding value.
Centralized and Decentralized

Structures
Organizational structures can be centralized or
decentralized or somewhere in between these points along
a spectrum. One type is not necessarily better than another.
The optimum structure for a given organization depends on
its industry, organizational culture and values,
organizational management style, national or regional
location(s), national culture, and global footprint.
Key Point

Structure type is important to internal auditors because it
has a strong impact on management oversight.
A centralized structure (also called a hierarchical,

bureaucratic, or traditional structure) is one in which there
are several levels of authority, a long chain of command,
and a narrower span of control.
Decision making is concentrated in the higher levels of
the management hierarchy.
This structure is more bureaucratic, with a top-down

management philosophy.
Employees have little autonomy and must gain approval

for actions.
Strengths:
Economies of scale (e.g., shared services)
Better control of expenses, preferred vendors, etc.
Consistency of decisions such as for information system
choices
A weakness is that a “silo” mentality can form, where

units are optimized but the overall system may be
suboptimal and there is poor or slow communication
between units.
A decentralized structure (also called a flat structure) is

one in which there are fewer levels of authority, a shorter
chain of command, and a wider span of control.
Decision making is dispersed in the lower levels of the

organization.
The structure is less bureaucratic, with more bottom-up
and lateral communication.
Employees have more freedom to take action and have

more autonomy.
Strengths:
Better cross-functional teamwork (less of a “silo”
mentality)
More organizational flexibility and adaptability
Easier communication (e.g., an “open door” policy)
A weakness can be lack of clear roles and responsibilities.
Key Point

In geographically dispersed organizations or those that
grow by mergers and acquisitions, a decentralized
structure can provide timely and responsive decision
making that can leverage local expertise and minimize
management complexity.
Exhibit 3-2 illustrates the differences between centralized

and decentralized structures.
Exhibit 3-2: Centralized versus Decentralized Organizational
Structures
Hybrid structures often form in large, diversified

organizations. Selected functions are managed in a
centralized fashion to provide control and economies of
scale, while other functions are decentralized to reduce
bureaucratic complexity and improve local accountability
and entrepreneurial ability. Each individual business unit
could be more or less centralized or decentralized
depending on what model works best to achieve its
objectives.
Departmentalization
Departmentalization is a structure for grouping
organizational work into specialized units and jobs. Both
centralized and decentralized organizations use
departmentalization but in different ways and to different
degrees. Grouping classifications may include product,
geographic, process, and customer departmentalization as
well as functional, divisional, and matrix.
In a functional structure, authority and decision making

are arranged by functional groups such as finance,
marketing, sales, manufacturing, and research.
Advantages are the ability to specialize and control
business activities. A disadvantage is narrower
perspectives in the organization.
A divisional structure is one in which divisions are fairly

autonomous units within the organization. Divisions are
specialized and may not even relate to one another. A
division may contain all functions for a distinct group of
products or services. Overall support is received from the
centralized core of the organization. Advantages and
disadvantages are similar to those of the functional
structure, with the ability to specialize but narrower
organizational perspectives.
A matrix structure is a team- and project-based

approach between functions and divisions. An employee
from a functional department works with a manager from
another department on a special team assignment. In
essence, the employee reports to two managers for the
duration of the project. The matrix structure permits
greater flexibility and use of resources. However, there
can be accountability and work conflict issues because of
the dual reporting relationships. A matrix assignment can
be short or long term. Exhibit 3-3 shows an example of a
matrix structure.
Exhibit 3-3: Matrix Organizational Structure
A primary benefit of departmentalization is that efficiencies

are gained from grouping common knowledge and skills for
a focused effort. Disadvantages may be departmental
conflicts and the formation of a “silo” mentality.
Summary of Organizational
Structures
Exhibit 3-4 compares the advantages and disadvantages of
the various types of organizational structures.
Exhibit 3-4: Organizational Structure Comparisons
Structure Advantages Disadvantages
Centralized Economies of scale Slower decision

(hierarchical) Control making/responses
Management Low employee
consistency participation
Possible “silos,”
conflict/inefficiency,
and communication
barriers between
departments
Decentralized Higher employee Loss of economies of
(flat) participation and scale
satisfaction Less control over
Faster decision productivity and
making/responses efficiencies
Functional Specialization by Narrower area
function perspective
More employee Coordination difficult
participation
Structure Advantages Disadvantages
Divisional Autonomy by Narrower

division perspectives
Specialization Loss of economies of
scale
Matrix Blend of technical Dual reporting
and market causes employee
emphasis confusion and
Efficient use of possible manager
resources conflict
Topic 3: Business Process Risks

and Controls
The internal audit activity frequently needs to perform
assurance and consulting engagements for specific
functional areas such as HR, procurement, product
development, sales, marketing, logistics, or the
management of outsourced processes. Some risk and
control implications of each of these business processes are
presented in this topic. Note that in the interest of brevity,
the HR area is addressed in more detail to illustrate the full
process, while the other areas have lighter coverage.

In addition to reviewing the contents of this topic,
students can review the following IIA materials:
Practice Guide, “Engagement Planning: Establishing
Objectives and Scope”
Practice Guide, “Auditing Third-Party Risk
Management”
Auditing Human Resources, second edition, by Kelli
Vito
Common Business Processes

Common business processes are often grouped into
functional areas or departments such as human resources
(HR), procurement, product development, sales, marketing,
production, finance, accounting, IT, and logistics. Each
business process might be managed in-house and/or
outsourced in whole or in part. Management of these
processes directly and/or as outsourced functions can carry
different risk and control implications. Some business
processes are also handled as projects. Business processes
may cross between functional areas, requiring close
coordination and communication.
Functional areas or projects might also be differentiated as
core versus non-core activities. Operations (production or
service delivery), product development, sales, or perhaps
logistics might be core processes, while HR, finance, and
other administrative or support functions typically are
designated as non-core processes. However, a vendor that
provides outsourced HR services would consider these
services to be core operations, because HR services is what
they are selling. The differentiating factor is usually one of
competitive advantage.
If a business process can provide a competitive
advantage, the organization will typically retain the
process in-house because it can provide these functions at
lower cost and/or higher quality (i.e., better value) than if
they were outsourced.
Conversely, the organization may or may not outsource
part or all of the non-core processes, depending on the
best overall value.
Key Point

It is important to understand why the sub-processes within
a functional area are grouped together in the first place
(and whether some other grouping would make more
sense).
Business processes exist to support achievement of one or

more business objectives. The various sub-processes in the
overall process are all likely interlinked primarily because it
creates economies of scale to plan, direct, monitor, and
control them as one unit. Logistics and supply chain
management arose because new methods were needed to
address a business process that crossed multiple functional
areas (procurement, warehousing, shipping and receiving,
customer service, supplier relationship management, etc.).
The new management model created efficiencies and a
better customer experience over maintaining “silos.”
Some of the methods discussed next for evaluating business

processes or specific functional areas could be used from a
big-picture perspective to define engagements in the annual
audit plan. Here the focus will be on individual engagement
planning and execution. Prior to delving into an audit of an
area, internal auditors determine how thorough the audit
should be. For example, this could be:
A routine checkup as part of an audit rotation.
An alignment review to see how well the area aligns with
organizational objectives.
A compliance review.

Performance Standard 2200, “Engagement Planning”
Internal auditors must develop and document a plan for
each engagement, including the engagement’s
objectives, scope, timing, and resource allocations. The
plan must consider the organization’s strategies,
objectives, and risks relevant to the engagement.
As established by Standard 2200 and flushed out in the

“Engagement Planning: Establishing Objectives and Scope”
Practice Guide, internal auditors use the following steps to
determine objectives and the overall scope of an audit
engagement:
Understand context.
Gather information.
Assess risks.
Form objectives.
Establish scope.
Allocate resources.
Document plan.
Since this overall process was addressed in Part 2, here the

focus is on the first three of these steps and on the last
step, documenting (and implementing) the plan. The
internal audit activity reviews and analyzes the business
process to understand context and gather information and
then assesses area risks to determine which areas should
receive higher priority and more audit resources.
The discussion that follows assumes appropriate objectives,

scope, and resources are allocated based on this
information. (See the Practice Guide mentioned above for
more information.)
The last part of the discussion for each functional area

discusses plan documentation and implementation. This
involves assessing whether the area’s internal controls are
appropriate and effective given the area’s objectives and
risks.
Before discussing these steps for each functional area, some

general points follow.
Understand the Business Process and Gather
Information
In order to determine the intensity level and areas of focus
for an audit engagement of a functional area, internal
auditors need to understand the business process and its
context. What are the area’s objectives, and how do these
trace upward to the organization’s strategy, mission, and
vision? What long-term strategy and annual goals were set
for this business process?
Auditors can start to understand strategic and annual goals

by reviewing business process documentation, including:
Prior audit workpapers.
Process workflows (flowcharts) and area organizational
charts.
Job descriptions or documents related to consultant work.
Customer reviews.
Plans and budgets for the area.
Policy and procedure manuals.
Trends in key performance indicators.
Reviewing process workflows and related narratives is

especially valuable. If a process flowchart does not exist,
creating one or more with the help of the process owner,
such as by conducting walkthroughs, can help the auditor
understand how various parts of the process interrelate as
well as the process inputs and outputs.
Key Point

Reviewing or creating process workflows is vital because
they can reveal where one process or sub-process
interacts with or impacts other processes (including
processes in other functional areas) from a risk and control
standpoint.
Process workflows can also help to differentiate between

key and support processes. If a key process fails to occur
correctly, achievement of a specific objective could be
directly and negatively impacted. Even non-core functional
areas will likely have key processes that support the
achievement of a top-level business objective, such as
procurement needing to minimize the cost of goods sold
(competitive price) while maintaining agreed-upon quality
levels (customer satisfaction).
Note that lack of documentation for an area in question may

be a risk in itself that needs to be part of engagement
observations, because it may negatively impact new
employee orientations, leave roles and responsibilities open
to interpretation, make it hard to assess area efficiency, and
make risk and control assessments more difficult.
Documentation review may also include review of external

documents. For example, the management’s discussion and
analysis section of the organization’s financial statements
may discuss the functional area’s objectives and key risks. A
regulatory report or finding may have been issued. There
could be court cases or settlements.
For each process, internal auditors also enlist the help of the
process owner to determine:
Why the process exists.
What functional area objective(s) it supports.
Whether it can be linked to achievement of overall
organizational objective(s).
What policies and procedures exist to direct how people
involved are supposed to act.
What its inputs and outputs are and whether these result
in difficulties due to the need for cooperation and
communication with other functional areas.
Whether the process provides other important benefits to
management.
If the process owner is having difficulty describing these
elements, one way to get to the important parts of the
process is to ask “What part of your job gives you the most
satisfaction?” Another question to ask is “What would most
endanger organizational success if it were done wrong?”
Given an understanding of the business process, its

objectives, and its sub-process interactions, the next step is
to assess risks affecting the process to guide audit priorities.
Map and Weigh the Business Process Risks

Assessing risk for a business process involves harnessing
the organization’s chosen risk management framework,
tools, and techniques. Since the CAE is responsible for
ensuring that a risk assessment is done at least annually, an
overall assessment will likely exist, and this may have been
the reason to include the business process in the annual
audit plan. When determining the risk and control
implications of a particular business process, after reviewing
the applicable risk management reports, internal auditors
may need to:
Evaluate risk at the detail level to determine which risks
are most likely to negatively impact key processes.
Update the assessment for any changes in
likelihood/impact or to identify new risks.
Reassess if new risk information should alter the depth of
the engagement or priorities (such as by using a heat
map, as discussed in Module 1).
After revisiting risk identification and risk prioritization,

internal auditors need to determine which risks affect which
processes or sub-processes. One way to do this is to use a
risk by process matrix as part of HR risks and controls.
The results of the detailed risk assessment are used to set

audit objectives, establish scope, and assign resources.
Documenting and Implementing the Plan:

Assess Internal Controls
The process of planning, including documenting the plan, is
the most important factor in an audit engagement’s
success. A key aspect of the plan is to ensure that the plan
and the budget for the engagement are properly aligned.
Internal auditors document the results of the prior steps
such as process maps and interview summaries in
workpapers. Supervisors review these workpapers to ensure
that they properly reflect the context, risks, scope,
resources, budget, and so on. Internal auditors may also
develop planning memos that communicate planned work
to management.
Key Point

Because not every risk can—or should—be included in a
single engagement, proper planning helps internal
auditors focus their efforts on the most significant risks to
the area.
During the engagement, internal controls are assessed for

their efficiency and effectiveness. One way to assess
internal controls against identified risks is to create a risk
and control matrix. An example of such a matrix is shown
below in the discussion of HR risks and controls.
In addition to determining if existing controls adequately

address the prioritized list of risks, internal auditors may
need to determine control effectiveness. A risk control map,
with risk significance on one axis and control effectiveness
on the other axis, can be created to determine which
controls may need improving and in what priority. An
example follows in the HR area. Such a map or other
analysis might also identify if a business process has too
many controls (i.e., too many controls over low-impact or
low-probability risks). The process might be made more
efficient by eliminating some unnecessary controls.
Reviews such as these may be especially needed during

times of change for the business process. Outsourcing or
cosourcing is one example, but rapid growth or downsizing,
implementation of new technology for the area, new
regulations, or changes in cultural expectations for the
process or area are other examples.
HR Risk and Control

Human resources is often an important functional area for
internal audit review due to the importance of quality
human resources in achievement of objectives and the high
liability risk many HR violations can entail.
Understand the HR Process and Gather

Information
The HR functional area can be a strategic partner that
develops the programs and systems necessary to fulfill the
organization’s mission. HR plays a strong role in shaping the
organization’s culture and control environment. HR
objectives may include:
Developing and executing HR strategic planning that is
effective in realizing the human potential required to
achieve organizational strategy.
Ensuring that HR staff are appropriately skilled.
Increasing HR productivity through HR technology while
securing sensitive data.
Accurately determining workforce staffing requirements.
Developing and administering effective organizational
design.
Developing and administering an effective recruitment
and recruit selection process.
Developing legally defensible contractor management and
use policies and processes.
Managing employee turnover and retention (churn)
appropriately.
Ensuring compliance with employment regulations.
Accurately assessing training needs and administering
effective new employee training, technical area training,
and supervisor training.
Developing and administering a training effectiveness
assessment process.
This list could go on, with compensation and benefits,

disciplinary processes, retirement, leave, payroll, employee
and labor relations, employee engagement, safety and
security, and outsourcing or cosourcing.
Exhibit 3-5 shows an example of a process workflow

(flowchart) for the HR functional area highlighting the sub-
process of staffing a new job position and ensuring that
appropriate training and performance monitoring occur. This
workflow would be supplemented by narrative description,
for example, notes indicating who would be responsible for
performing the job analysis.
Exhibit 3-5: HR Workflow for a New Position
This workflow could be analyzed to see if the decision points

are appropriate. For example, a new external hire is always
on-boarded, a contractor may or may not be on-boarded,
and existing employees are never on-boarded again. In
addition to discussing with HR professionals whether this
process is appropriate, the internal auditor could also work
to determine whether the process as implemented aligns
with the process as designed.
Map and Weigh HR Process Risks

HR process risks typically include the following:
Nonexistent or deficient HR strategic plans
Lack of appropriate skills among HR staff leading to
noncompliance with employment law
HR technology privacy risks or record keeping that fails to
keep up with data regulations
Staffing: productivity versus expense risks (Wrong number
of workers are identified, risking unnecessary expense,
incorrectly balanced roles, or poor productivity.)
Organizational structure that harms productivity or
communications
Recruitment or recruit selection risks such as lawsuits or
regulatory noncompliance
Contractor overuse that could violate tax laws
High churn (employee turnover) that risks talent loss
Poor or inadequate employee training that risks loss of
competitive advantage
New employee training that fails to teach employment law
Technical training poor or nonexistent
Manager training poor or nonexistent
Inaccurate performance appraisals
Poor-performing employees not being escalated to higher
levels of disciplinary action
Discipline that is unrecorded or ineffective
Poor workplace culture
Ineffective or nonexistent on-boarding strategies
Workers’ compensation injury claims, medical costs, and
lost productivity
Employee benefits liability (e.g., pension obligations)
Employee or contractor theft or embezzlement
One way to determine which risks affect which processes or

sub-processes is to use a risk by process matrix, which lists
processes or sub-processes in rows and risks in columns.
Such a matrix can differentiate between key (K) and
secondary (S) links between the process and the risk. There
should be only a limited number of key links for a process,
perhaps just one. Secondary links between objectives and
risks help show how processes are interrelated. There could
be any number of secondary links. Exhibit 3-6 shows an
abridged example of a risk by process matrix for the HR
functional area.
Exhibit 3-6: Risk by Process Matrix for HR Functional Area
(Abridged)
Planning and Implementation: Assess HR

Internal Controls
One way to assess internal controls for risk is to use a risk
and control matrix. This type of matrix lists each objective
and the key risk that might negatively impact achieving that
objective. It has columns for probability and impact, the
relevant activity that is performed to implement the
objective, and related controls. This could be a listing of
controls that exist or of typical controls for the objective.
Exhibit 3-7 shows an abridged risk and control matrix for the
HR functional area. It lists both existing and needed
(recommended) controls.
Exhibit 3-7: Risk and Control Matrix (HR Example, Abridged)

Objective Key Risk Probability/ Activity Controls
Impact
Effective HR strategic plans Probability: HR program Existing:
HR nonexistent/deficient. Low, but will creation. Strategy linked
strategic grow over to
plans time (See organizational
needed strategy,
controls.) consistent with
Impact: High culture.
HR operational
plan outlines
programs,
staff, and time
lines.
Needed:
Ongoing HR
area
assessments.
Monitor
legislative
changes and
alter plans.
Impact
Skillful HR HR staff lack Probability: Recruit and Existing:
staff appropriate skills, Medium select HR Clear HR
risking Impact: staff. position
noncompliance with Medium descriptions,
employment law. tasks,
authorities,
and
competencies.
Education,
experience,
and continuing
education
requirements
are adhered
to.
Needed:
HR staff
encouraged to
get HR
certification
(PHR, SPHR).
HR staff
compensation
matches
salary scales.
Impact
HR HR technology Probability: HR staff Existing:
technology privacy risks or Medium recruitment Employee
that record keeping that Impact: High and recruit information
enables fails to keep up with selection. safeguards
productivity data regulations. exist, including
while employee
controlling master
sensitive controls.
data HR IT system
security exists.
Needed:
HR staff
training on
social
engineering
scams.
Effective Staffing: Productivity Probability: Workforce Existing:
staffing versus expense risks. Low now, needs Workforce plan
needs (Wrong number of could grow identification is linked to
assessment workers are Impact: process. strategy and
identified, risking Medium mission.
unnecessary HR forecast of
expense, incorrectly number of
balanced roles, or workers
poor productivity.) needed per
position.
Needed:
Gap analysis
of current
versus future
workforce
profile.
Link staffing
forecast to
training plans
in addition to
recruitment.
This matrix would continue for each of the many objectives
of the area. Note that the above matrix was inspired by the
Sample HR Risk Impact and Control Matrix that is an
appendix to The IIA Research Foundation’s Auditing Human
Resources, second edition, by Kelli Vito. See that publication
for more information.
Procurement Risk and Control

Procurement is a process that often requires internal audit
activity attention due to the risk of fraud and corruption.
Note that this and the remaining functional area discussions

are in less depth than the HR discussion. Many of the
concepts and tools discussed in that area can be applied in
similar ways to these remaining functional areas.
Understand the Procurement Process and

Gather Information
Exhibit 3-8 shows an example of a process workflow for
procurement. This is an example of what is called a
swimlane flowchart, in which the processes are divided into
“lanes” based on the role or system that is responsible for
that process element. For example, the segregation of
duties between the purchase requisition and its approval by
a superior is obvious in this format.
Exhibit 3-8: Procurement Workflow
Developing an understanding of your organization’s

procurement process is vital, because each procurement
process will have its own risks and red flags depending on
the procurement workflow step, the process maturity, and
the type, materiality, and complexity of the purchases.
Map and Weigh the Procurement Process Risks

Like the HR risk assessment, mapping and weighing risks in
the area of procurement entails using a systematic process,
including the use of tools such as a risk by process matrix.
The result of this process will reveal key procurement
process risks, such as the following:
Fraud, collusion, and corruption
Kickbacks resulting in padded or non-competitive bids
that are accepted
Rigged bidding/tender process
Nonexistent or falsified due diligence
Cost estimates not aligned with market rates
Requirements prepared by a service provider that exist
solely to reduce competition
Bids unsealed before bid opening session
Fictitious invoice payments
Bias in procurement decisions or conflicts of interest in bid

evaluators
Inadequate or nonexistent training of procurement
professionals and supervisors to recognize, detect, and
report fraud and corruption
Procurement not aligned to strategy
Decentralized procurement lacking supervision
Anonymity of bidders/tenderers or confidentiality of bid
information not maintained
Poor or selective disclosure of selection and award criteria
Insufficient distribution/advertisement of requests for
proposals/invitations to tender or insufficient time allowed
for bidding
Suppliers who have falsified certifications, insurance
documents, etc., and are not qualified
Implementation: Assess Procurement Internal

Controls
Important procurement internal controls to assess include:
Whistleblower hotline and procedures to encourage
whistleblowers.
Fraud and corruption awareness training.
Vendor information system controls.
Supplier prequalifications and approved supplier lists.
Required approvals and supporting documentation.
Normalization of requests for proposals/invitations to
tender and response format.
Supplier formal complaint or appeal mechanisms for
reporting irregularities.
Supplier performance evaluation.
Due diligence and background/affiliation checks of bid
evaluators, procurement professionals, supervisors, and
suppliers.
Review of winning and non-winning bids for bias, fraud, or
corruption.
Sales and Marketing Risk and Control

Sales and marketing are closely tied to the organization’s
success or failure.
Understand the Sales and Marketing Process

and Gather Information
Exhibit 3-9 is an example of a workflow for the sales and
marketing process that shows how sales processes generate
feedback for marketing at many points, both from positive
and negative sales results.
Exhibit 3-9: Sales and Marketing Workflow
Sales and marketing could also have separate workflows,

and many sales processes might look very different
depending on what is being sold.
Map and Weigh the Sales and Marketing
Process Risks
Here are some examples of sales process risks:
Inadequate sales strategy (e.g., failure to understand
customer needs or price sensitivity)
Inaccurate, inadequate, or misleading profit and sales
metrics (e.g., poor quality data, inaccurate data on profit
margins leading to poor profits, treating leads as more
likely to buy than they actually are)
Sales force unaware of or unaligned with marketing
strategy (e.g., ineffective marketing, customers with
unrealistic expectations)
Sales force uneducated or incorrect about product
features (e.g., obvious lack of knowledge, customer
misinformed)
Missed sales quotas (e.g., too few opportunities in
pipeline, lack of direct customer contact, failure to use
data-driven analysis)
Undue sales incentives (e.g., pressure to commit fraud
such as fraudulent procurement activities)
Here are some examples of marketing process risks:

Inadequate or misaligned marketing strategy (e.g., low
conversion rates)
Poor or damaged brand (e.g., improperly managed
negative events, press, or social media criticism)
Marketing affiliations that go awry (e.g., spokesperson
gaffes or misconduct, organization partners who behave
unethically)
Unaligned, incorrect, or poor event branding (e.g., typos in
convention space signage)
False advertising (e.g., public loss of trust, lawsuits, fines)
Violation of anti-spam or data privacy laws and
regulations (e.g., fines, lawsuits)
Implementation: Assess Sales and Marketing

Internal Controls
Here are some examples of sales and marketing internal
controls:
Setting explicit sales and marketing strategies aligned
with organizational strategy
Reinforcement of ethical culture and control environment
regarding acceptable sales and marketing tactics
Supervision and required supporting documentation
Regular sales and marketing training, both on soft skills
and use of data-driven analysis
Regular sales and marketing communications and
meetings (including discussions of sales leads earlier in
the pipeline)
Regular product training
Logistics Risk and Control

Logistics involves coordination of many interconnected
processes and entities. Many things could go wrong that
could negatively impact profitability or customer
satisfaction.
Understand the Logistics Process and Gather

Information
Logistics is a large process area and, while a large workflow
of the entire process might be constructed, it could be
unwieldy. It is likely that logistics will have many workflows
such as inbound logistics, warehousing, and outbound
logistics. These various workflows still need to be
coordinated with one another to be efficient and effective.
Exhibit 3-10 shows a logistics workflow for how goods flow
through a warehouse to ensure efficiency, safety, and
security.
Exhibit 3-10: Logistics Workflow (Warehouse)
Map and Weigh the Logistics Process Risks

Here are some examples of logistics process risks:
Logistics consuming too much of profit margin, or total
cost of logistics unknown
Carrier hijacking or theft of goods from warehouses,
shipping ports, etc.
Inadequate security procedures or infrastructure
Natural disasters, war, piracy, shipwreck, etc., disrupting
supply chain or specific shipments
Carrier delays, nonperformance, or bankruptcy
Inaccurate inventory recorded
Lack of inventory or too much inventory
Low inventory turnover or obsolete inventory
Accidental or fraudulent discrepancies in shipping: type,
quantity, destination, etc.
Liability for delays or losses (e.g., contractual
requirements, inadequate insurance)
Regulatory changes (e.g., security, safety, environmental)
impacting logistics profitability
Poor resource or equipment utilization
Spikes and dips in demand caused by poor communication
up the supply chain (called the bullwhip effect)
Implementation: Assess Logistics Internal

Controls
Here are some examples of logistics internal controls:
Metrics on utilization, turnover, and the seven “rights” of
logistics: right quantity, right product, right time, right
place, right condition, right price, and right information
Increased focus on actual demand by communicating
better with supply chain partners and relying less on
forecasting
Warehouse safety and security protocols and systems
Cost analyses that factor in transportation modes,
distances, warehousing, and third-party intermediary
costs in addition to product costs from various countries
Benchmarking against best-in-class logistics providers
Lists of preferred logistics service providers for backup
transportation or other services
Outsourcing Risks and Controls
This part of the topic includes information from the Practice
Guide “Auditing Third-Party Risk Management” in addition to
other sources.
Understand the Organization’s Outsourcing

Strategy and Risk Appetite
When preparing to audit a business process that is
outsourced or cosourced (or is being analyzed for suitability
for being outsourced), the first thing to do is to determine
whether the organization has a defined third-party risk
management program and a related governance structure
as part of its enterprise risk management (ERM) framework.
If so, this program will provide a starting point for identifying
outsourcing risk appetite, policies, processes, defined roles
and responsibilities, and tools used to control risks.
The key question to consider is whether the risk exposure

the organization is incurring (or may incur) by outsourcing
or cosourcing this service, raw material, or component is (or
will be) in line with the organization’s risk appetite.
Opportunities should also be considered, since keeping an
inefficient process in house could have an opportunity cost
(i.e., be a larger ongoing cost than necessary).
The organization may translate its risk appetite for third
parties into a set of minimum standards for the capabilities
of the candidates in terms of governance, risk management,
and control. Internal auditors can assess specific third-party
compliance against these minimum standards.
Organizations have formal or informal third-party risk

management governance structures:
The lowest level of formality can be as simple as a
business manager making independent decisions about
qualifying third parties. An informal structure can create
risks of bias toward certain suppliers or conflicts of
interest, but compensating controls could include
thresholds requiring approval for contracts above a
certain monetary value.
Adding a second-line of defense, for example, a contract
review and compliance function, would make this a
defined governance structure.
A third level of formality would be a standardized third-
party risk management governance structure, as is shown
in Exhibit 3-11. Such models are highly recommended for
highly regulated industries or organizations with more
outsourcing complexity.
Exhibit 3-11: Standardized Third-Party Risk Management
Governance
Key Point

Management must—as the owners of organizational risk—
identify, assess, manage, and monitor the risks associated
with each third-party relationship on an ongoing basis.
The standardized model adds third-party specialists (e.g.,

supply chain managers) to the first and/or second lines of
defense. Some functions, such as third-party sourcing,
evaluation, and management, may be centralized for
improved control. Internal audit will assess both the first line
of defense (line management) and the second line
(compliance specialists).
Understand the Third-Party Provider

Management Process
Internal auditors auditing outsourced processes may need to
audit the overall third-party risk management program or
just one of its process steps. Exhibit 3-12 shows the
elements of a generic third-party provider management
process.
Exhibit 3-12: Third-Party Provider Management Process
Sourcing. Management works to understand the business

context and drivers of the area to be outsourced, strategic
objectives, core competencies, and so on, and then issues
a request for proposal (RFP)/invitation to tender (ITT) for
contracts that exceed a certain monetary value or risk
exposure.
Due diligence. Management narrows the list of
candidates by assessing each against relevant criteria
(e.g., a statement of work), assesses third-party risks
(with the help of subject matter experts), does
background and business performance checks, assesses
ethics, and starts forming a relationship of open
communications.
Contracting. Contracts communicate risk appetite and
minimum standards of internal control to the third party
as well as expected service levels.
Monitoring. Persons with knowledge of the process
should be appointed to manage the third-party
relationship. If a business manager owns the relationship,
decentralized management can be used. KPIs, risks
analyses, required attestations, relationship status, and
other areas of compliance are monitored.
Issue resolution. The third-party relationship owner is
usually responsible for monitoring and addressing issues
and risks that exceed the risk appetite.
Termination. The contract specifies termination
conditions. Thorough and complete termination clauses
can address equipment and technology retrieval,
separation costs, and so on.
Understand the Outsourced Business Process
and Gather Information
In addition to auditing the overall third-party risk
management process, internal auditors may need to audit a
specific outsourced business process. The objectives for
each such process will be specific to the area being
outsourced. For HR outsourcing or cosourcing, for example,
the objectives may be to develop and administer
appropriate service provider selection and management
(this may be called vendor due diligence) and to provide
effective change management for the transition period
toward the new sourcing model.
Map and Weigh the Outsourced Business

Process Risks
Internal auditors can use tools such as heat maps or the
other tools to map and weigh the business process risks of
an outsourced process. Key risks for outsourced HR, for
example, may include underestimating the time needed for
the transition due to the complexity of the process,
underestimating organizational resistance to change, HR
technology incompatibility, and information security
breaches. A few examples of generic outsourcing risks
follow:
Bids accepted are bad business deals due to
incompetence or fraud.
Poorly worded contracts create loopholes.
Poor contract choice can create liabilities that reduce
profitability.
Miscommunication occurs due to language or national
culture differences.
Contract noncompliance or default is expensive to
remediate.
Contract termination clauses may include auto-renewal
windows that, if missed, could entail significant additional
costs.
Implementation: Assess Internal Controls

For the outsourcing or cosourcing of a business process or a
functional area, controls may include the following:
Statements of work in the RFP/ITT accurately describe
scope and scope limitations.
The process owner and other stakeholders such as budget
analysts are involved in RFP/ITT creation.
Bids are evaluated for both best value and service
provider competency.
Sole-source contracts are justified, if used, and the
selected provider is capable of providing the full range of
services.
Provider selection uses an adequate due diligence
process, including reference checks.
The process owner reviews future workforce needs to
ensure that the service provider is capable of scaling up to
meet future demand.
Contract negotiations gain agreement on appropriate
incentives, penalties, and the definition of specific
services to provide in a service level agreement.
The service provider contract has appropriate clauses,
including a definition of nonperformance, the means of
correcting deficiencies, and when and how the contract
can be terminated by either party.
The organization maintains a vendor master file for each
vendor to track performance, document sustainability or
ethics agreements, indicate preferred status, ensure
proper application of negotiated discounts, etc.
Key controls for the outsourcing of HR, for example, may

include clearly defined roles and responsibilities or having a
dedicated transition team that sets the scope of the
services offered and coordinates with any cosourced staff to
avoid duplication of efforts.
Topic 4: Project Management

This topic helps internal auditors identify techniques used to
control projects, including a project plan that manages
scope, time, cost, teams, and resources as well as a process
for project change management.
Project Management
Project management is the process of planning,
organizing, directing, and controlling an organization’s
resources (people, equipment, time, and money) for a
temporary endeavor so that project objectives can be met
within defined scope, time, and cost constraints. Internal
auditors typically have excellent project management skills,
since both assurance and consulting engagements are
examples of projects. It is therefore incumbent upon newer
internal auditors to acquire project management skills and
for all internal auditors to continue developing these skills.
Why use project management techniques? Project

management requires much up-front work to define the
problem that needs to be solved and then form a plan to
achieve it. Exhibit 3-13 shows how more up-front “pain” or
effort can reduce total effort, which reduces risks of
uncertain achievement of goals or failure.
Exhibit 3-13: More Up-Front Planning Effort Reduces Total

Effort Required
Without such a plan, the budget and the project duration

may end up being far exceeded or the project could fail
because of problems such as scope creep, gold plating,
and/or rework.
Scope creep is when project objectives are extended by
external influences.
Gold plating is when project objectives are extended by
team members without authorization.
Rework may be needed because the wrong tasks (i.e.,
audit tests) were performed.
Scope creep and gold plating result in unplanned additions
to a project’s scope or time, cost, and quality constraints.
Serious problems can occur if internal or external
stakeholders are allowed to add requirements to a project
without also providing additional money and time to get the
extra work done. While project change is necessary to keep
the project responsive, changes must be controlled using
the project objectives and scope as gatekeepers.
Project Planning and Scope

Projects can vary in duration and complexity, but the
majority share the following characteristics:
A project is a series of tasks and activities.
It fulfills some need or requirement in an organization.
It has stated objectives that outline a path for achieving
the goal.
It has a defined start date, time line, and target
completion date.
It has funding or budget limits and dedicated resources
(which include materials, energy, space, provisions,
communication, quality, risk, etc.).
The challenges of successful project management include

delivering a project:
That maintains consistent alignment with project
objectives.
Within defined constraints.
At a desired performance/quality level.
That optimizes allocation and integration of the inputs
needed to meet the objectives.
Project Life Cycle

Most projects cycle through similar stages from beginning to
end. Although the terms and specifics of the cycles vary
from industry to industry, projects generally include these
stages:
Conception or project initiation is where the project is

born and the project goals and objectives are established.
Stakeholder expectations must be clearly identified. It is
vital to obtain support from senior management at this
stage. During this stage, the nature and scope of the
project are determined in a project charter and the project
manager and project team are selected. A signed charter
releases funding and resources.
The planning, design, budgeting, and scheduling

stage is where the project schedule is outlined, the budget
is set, and resources are assigned.
The execution and production stage is when the work

takes place.
During monitoring and control, the project manager is

responsible for overseeing the quality of the work, the
progress against the schedule, and the proper use of
resources. Project control systems keep a project on track,
on time, and within budget. Internal auditors can help
determine how important specific projects are to an
organization’s bottom line, the types of controls that exist,
and any additional controls that are necessary.
The completion and evaluation stage typically involves

some culminating event such as client acceptance and
sign-off of deliverables. Evaluation often includes
assessing the project’s effectiveness at the end of the
process. Administrative activities include archiving files
and documenting the lessons learned.
Exhibit 3-14 shows the project life cycle and the tasks
associated with each phase.
Exhibit 3-14: Project Life Cycle

Project Project Tasks
Phase
Conception Analyze project and spell out organizational

or project needs in measurable goals.
initiation Conduct review of current operations.
Complete conceptual design of finished
project.
Prepare financial analysis, costs and benefits,
budget.
Prepare list of assumptions, risks, and
obstacles.
Select stakeholders, including users and
support personnel, and develop an
understanding of their expectations.
Develop project charter, including costs,
objectives, tasks, deliverables, and
schedules.
Gain approval for the project charter and
acquire funding.
Phase
Planning, Define work requirements.

design, Determine quantity and quality of work.
budgeting, Determine and allocate resources needed and
and estimate their cost.
scheduling Establish major timetable milestones and
budget.
Define deliverables and documentation (can
include feasibility study, scope statement,
project plan, communications plan, issue log,
resource management plan, project schedule,
status report).
Establish basis for performance
measurement.
Generate a project management plan and get
formal approval for it, including approval for
the required resources.
Execution Launch the project management plan.
and Confirm availability of adequate and
production appropriate project resources.
Document work teams.
Teams do work, provide status updates, and
produce deliverables.
Project managers lead, direct, and control.
Managers and stakeholders receive progress
reports and review action plans for correcting
differences between plan and actual.
Phase
Monitoring Track progress, especially during execution

and control but also during planning.
Compare actual and predicted outcomes.
Analyze impact.
Make adjustments to meet project objectives
and acceptance criteria.
Completion Obtain client acceptance based on
and acceptance criteria.
evaluation Install project deliverables.
Complete project documentation such as
lessons learned.
Complete evaluation (for example, measuring
stakeholder satisfaction) and post-
implementation audit.
Issue final project report and communicate
lessons learned.
Projects need to be performed and delivered under what has

traditionally been known as the “project management
triangle,” as shown in Exhibit 3-15. One side of the triangle
cannot be changed without impacting the others.
Exhibit 3-15: Project Management Triangle
Time is the amount of time available to complete the

project. It is broken down into the time required to
complete each component of the project and further into
task times.
Cost refers to the budgeted amount available for the

project. It depends on variables such as labor rates,
material rates, risk management, consultant rates,
equipment, and profit.
Quality and performance of the final product/service

are major components of scope. The amount of time put
into individual tasks and the amount of cost expended on
resources influence the overall quality. Meeting a defined
quality level can have a significant impact on time and
cost. If this side of the triangle is fixed, it requires juggling
the other constraints to meet this requirement as defined
by customer acceptance criteria.
Scope means what must be done to produce the project’s

end result. It is sometimes represented as the inside of
the triangle to show that scope is strongly affected by the
time, cost, and quality inputs. This is the overall definition
of what the project is supposed to accomplish and a
specific description of what the end result is supposed to
be or accomplish. In addition, defining what is “out of
scope” helps limit unwanted work.
These constraints often compete with each other. Increased

scope or quality typically means increased time and cost. A
tight time constraint might mean increased costs and
reduced scope. A tight budget can mean increased time and
reduced scope. Quality project management is about
providing the tools and techniques that enable the entire
project team to organize their work and meet these
constraints. If the project manager determines that project
changes or issues make meeting any of these constraints
infeasible, he or she will need to promptly discuss the issue
with management or possibly a change control board.
Time, Resources, and Cost

The following project elements are interrelated, so planning
for one area impacts the others.
Project Teams
Project plans and their execution are only as successful as
the manager and the team who implement them. Building
effective teams is critical to the success of any project.
Projects commonly include the following roles and team

members:
Project stakeholders are internal and external

individuals and organizations who are actively involved in
the project or whose interests may be affected as a result
of project execution or completion. Key stakeholders
include the project manager, the customer or end user
(e.g., the board for internal audit projects), and the project
team.
The project sponsor is the person or group who wants

the project to occur, who champions support for the
project, and who commits the necessary resources.
The project manager is the project leader. He or she is

responsible for coordinating and integrating activities and
is accountable for project success. A project manager is
often a client representative who determines and
implements the client’s needs.
The project team is the custom team for a specific

project. The team members disband when the project is
over. The quality level of team members may impact cost
and time.
Project Time, Cost, and Resources

Project managers and their team members can use a variety
of tools and techniques to plan, schedule, and manage their
projects. Tools commonly associated with project
management include Gantt charts and network analysis
tools.
The concept behind these tools is that during a project,

some activities, known as sequential or linear activities,
need to be completed in a particular sequence, with each
stage being completed before the next activity or task can
begin. Other activities are not dependent on the completion
of any other tasks and can be completed at any stage
during the time line. These are nondependent or parallel
tasks that can be scheduled based on resource availability.
Other essential project management techniques include the
project budget for cost planning and control and change
management to control the scope of the project. The project
budget is used as a baseline against which variances from
intended costs are measured.
Gantt Chart
The Gantt chart (also known as a horizontal bar chart, a
milestone chart, or an activity chart) is a project scheduling
technique that divides each project into sequential activities
with estimated start and completion times. It allows the
decision maker to visually review a schematic presentation
of the project time budget and compare it with the actual
times.
To create a Gantt chart, the project manager plots the steps

of the project and their sequence and duration. The list
includes the earliest start date for each task, the estimated
length of time it will take, and whether it is parallel or
sequential. This forms the basis of the scheduling chart
shown in Exhibit 3-16. A Gantt chart’s simplicity allows for
easy schedule modifications.
Exhibit 3-16: Gantt Chart
A Gantt chart:
Helps plan tasks that need to be completed.
Provides a basis for scheduling when tasks will be
executed.
Helps plan the allocation of resources necessary to
complete the project.
Helps determine the critical path for a project with a hard
deadline.
Is appropriate for internal audit scheduling because the
audit process does not often require sequence revisions.
Network Analysis (PERT/CPM)

A project network is the graphical representation of a
project’s tasks and schedule. Network analysis involves
evaluating the network of tasks and functions that
contribute to a project in order to determine the most
efficient path for reaching the project goals. Network
analysis software can help complete project scheduling,
including tracking resource costs and usage. Network
analysis can help:
Project managers schedule activities in projects with many
separate jobs or tasks performed by many departments
and individuals.
Project managers identify possible ways to revise or
shorten the sequence of activities to expedite the project
and/or lower costs.
Internal auditors understand the risk and control
implications of projects, especially in complex industries
like construction and aircraft manufacturing.
Two common types of network analysis are the program

evaluation review technique (PERT) and the critical
path method (CPM). Due to their similarity, this type of
network analysis is now often referred to as PERT/CPM.
These methods are used to schedule, organize, and
coordinate tasks, generally for large, complex projects with
a high degree of inter-task dependency. Internal auditors
may use these tools in evaluating efficiency or may verify
their proper use.
A PERT/CPM chart illustrates a project flow graphically.
Circles or rectangles represent project milestones that are
linked by arrows that indicate the sequence of tasks.
Constructing a PERT/CPM network requires three inputs:
Tasks necessary to complete the project
Time required to complete these tasks
Task sequence—including which tasks must be sequential
and which can be parallel
The goal of the PERT/CPM chart is to identify the critical

path.
The critical path is the sequence of activities that have no
slack and will collectively take the longest to complete,
which defines the shortest possible total project duration.
Slack time is the amount of additional time that an
activity start can be delayed or an activity can take to
complete without delaying the overall project.
Activities on the critical path by definition have no slack,
meaning that their start times and durations need to be
on schedule or the whole project will be delayed.
Tasks that are not on the critical path may have slack and
so could be started later or have duration delays without
affecting the overall schedule (until their slack is used up).
Exhibit 3-17 shows an example of a PERT/CPM chart.
Exhibit 3-17: PERT/CPM Chart
Source: Sawyer’s Internal Auditing, fifth edition, by Lawrence B. Sawyer, et al.

Used with permission.
In Exhibit 3-17, there are five possible paths to reach the

project endpoint (7) and the longest one is the critical path:
1-2-4-7 (98 days)
1-2-3-5-7 (100 days)
1-2-4-5-7 (108 days)—the critical path because it takes
the longest to complete
1-3-5-7 (102 days)
1-6-7 (92 days)
The following are benefits and disadvantages of PERT/CPM:

They identify and prioritize tasks that must be completed
on time for the whole project to be completed on time.
They identify sequential and parallel tasks.
They identify which tasks can be delayed or accelerated
without jeopardizing the project.
They form the basis for all planning and predicting.
They help in scheduling and managing complex projects.
They show the best use of resources to achieve the goal
within time and cost limitations.
Unknowns can still impact a schedule, such as delays in
resource availability.
Gantt charts are easier to interpret and are usually still
needed.
Project Manager Schedule Adjustment or Correction

Tools
Unexpected delays or resource conflicts can occur, so a
project manager needs to be able to shorten or adjust a
project’s time line. The project manager can do the
following:
Use “fast tracking” or add lead time. Lead time or

“fast tracking” are methods to begin a scheduled task
before its predecessor task is completed (if feasible),
which means the tasks are performed simultaneously to
some degree. For example, the original time line for an
advertising brochure may call for the graphics to be
completed after the writer finishes the first draft. If the
illustrator gets the list of graphics two weeks earlier, there
are two weeks’ lead time to finish the graphics, which can
help if the illustrator would otherwise be double-booked.
Fast tracking creates the risk of rework if the predecessor
task impacts how the successor task should have been
done.
Use slack time. Activities not in the critical path often

have slack. In our brochure example, if marketing
activities are not on the critical path, there may be slack
in the start date for these activities.
Assign additional resources (“crashing”). It may be

possible to increase the resources committed to a task on
the critical path, which is called “crashing.” Assigning two
people to write the first draft of the advertising brochure
could cut the writing time in half (assuming no learning
curve). Risks include budget overruns, inefficiency (e.g.,
learning curves), and diminishing returns for each
additional resource.
Schedule overtime. Tasks may be shortened by

scheduling project members for overtime. If the critical
path is shortened, a different sequence of tasks could
become the new critical path.
Change Management (Scope Control)

While schedules and budgets can be used as baselines
against which to measure variances, another tool is needed
to ensure that the project remains on scope. Problems such
as scope creep or gold plating not only consume staff time
and other resources; they confuse schedules and plans
because people are working on things that are not even in
the schedule. A disciplined change management process
can prevent scope creep/gold plating.
All stakeholders need to be informed in advance of the

required process for requesting changes to the scope as
agreed upon and proven by the signatures on the project
charter. Project team members need training on avoiding
doing more work than is in the plan and need to keep in
mind that:
The client may not even appreciate this work.
The organization will not appreciate the project going off
schedule/budget for unnecessary or avoidable reasons.
A formal change management process (also called change

control) involves these steps:
A project stakeholder submits a change order request,
which is a request for a significant project change.
Significant change is a change that would impact the
scope, schedule, or budget. (The project manager has
discretion for changes below this threshold.)
The project manager or a change control board for the
project perform a change impact assessment, which is a
two step-process that reviews:
The technical merits of the change (including how it
impacts interrelated components).
The impact of the change on the schedule, budget, or
other constraints such as quality.
Approved changes are reflected in budget, schedule, and

plan updates, and the new plan version is provided and
communicated to the team.
Rejected changes and the rationale are communicated.
Project managers might create a list or “parking lot” for
changes to be considered later or in a future project.
Key Point

If a change is deemed to have technical merit, the project
manager must insist on the project sponsor approving
additional resources as needed to make the change. If the
additional resources are not provided, the project manager
should reject the change.
Section B: Data Analytics


Describe data analytics, data types, data governance,
and the value of using data analytics in internal
auditing.
Explain the data analytics process (define questions,
obtain relevant data, clean/normalize data, analyze
data, communicate results).
Recognize the application of data analytics methods in
internal auditing (anomaly detection, diagnostic
analysis, predictive analysis, network analysis, text
analysis, etc.).

standards
This section discusses the importance of data analytics to

modern internal auditing. It addresses big data, the data
analytics process, and the application of data analytics
methods.
Topic 1: Data Analytics, Types,

and Governance
This topic starts by defining data analytics, data types, and
the Vs of data—the qualities of data such as volume and
velocity that need to be understood for data to be made into
useful information. This discussion will help internal auditors
understand why data analytics is becoming increasingly
necessary for internal auditing. The topic also addresses the
definition and importance of data governance and
information security governance.

Global Technology Audit Guide (GTAG) 16, “Data
Analysis Technologies”
Global Technology Audit Guide (GTAG), “Understanding
and Auditing Big Data”
Global Technology Audit Guide (GTAG) 15, “Information
Security Governance”
Data Analytics
Data analytics is the process of gathering and analyzing
data and then using that data and the results gathered to
provide business information for making better
organizational decisions and implementing more relevant
policies and procedures. It can also refer to data mining—
gathering information from multiple sources to acquire
results that management can use to make better-informed
decisions.
A definition relevant to CAEs is that data analytics is the

process of using analytical techniques and repeatable
automated processes (e.g., using scripts) to search for
patterns and anomalies and to quantify and highlight
potential risks and opportunities using operational, financial,
and other data.
Developing competency in data analytics starts by

understanding the value of data analytics in internal
auditing and learning about the qualities and types of data.
Value of Using Data Analytics in Internal

Auditing
Key Point

Data analytics is very important to the internal audit
activity. For example, Standard 2240, “Engagement Work
Program,” indicates that “work programs must include the
procedures for identifying, analyzing, evaluating, and
documenting information during the engagement.”
Similarly, Standard 2320, “Analysis and Evaluation,” states
that “internal auditors must base conclusions and
engagement results on appropriate analyses and
evaluations.” These procedures and analyses often make
significant use of data analytics.
Implementation Guidance for Standard 2320 includes the

following information related to analytical procedures.
Analytical procedures are used to compare

information against expectations, based on an
independent (i.e., unbiased) source and the
premise that certain relationships between
information can be reasonably expected in the
absence of conditions to the contrary. Analytical
procedures may also be used during engagement
planning (2200 series of standards). Examples of
analytical procedures include:
Ratio, trend, or regression analysis.
Reasonableness tests.
Period-to-period comparisons.
Forecasts.
Benchmarking information against similar
industries or organizational units.
Internal auditors may further investigate any

significant deviations from expectations to
determine the cause and/or reasonableness of the
variance (e.g., fraud, error, or a change in
conditions). Unexplainable results may indicate a
need for additional follow-up and may suggest the
presence of a significant problem that should be
communicated to senior management and the
board...
Each functional area in an organization needs to justify its

own existence by showing that it adds more value than it
costs to maintain. This is as true for internal auditing as it is
for production, sales, or finance. Ways to add value include:
Finding ways to operate more efficiently, or doing more
with less.
Operating more effectively, or doing the right things in the
first place.
Identifying cost-saving or revenue-generating
opportunities for the organization, or adding consulting
value.
Data analytics has the potential to assist an audit review by
transforming what otherwise might be a surplus of data into
useful and actionable information in a timely fashion.
Because internal audit has access to data from multiple
areas of the organization, the function is uniquely positioned
to transform data into information valuable to the
organization.
Data analytics will only become more common in the future

in internal audit activities. The CAE may want to be
proactive and sell the organization on making these
strategic investments proactively. After all, identifying even
a single major area for cost savings could pay for the
investment in software and training. Here are some other
specific benefits:
Spend less time on data preparation, formatting, or
calculating and more time on value-added analysis.
Fully or partly automate previously manual audit tests and
perform them on more (or all) of the items in a population,
reducing the need to rely on random or judgmental
sampling.
Better filter out false positives or false negatives from
results.
Set rules such as a threshold for an invoice amount.
Plan better audits by using analytics to better understand
which areas or processes would receive the most benefit
from an audit.
Identify, categorize, prioritize, monitor, and manage risk
more efficiently and effectively.
Better detect fraud, errors, inefficiencies, red flags, and
anomalies.
Better assess the operating effectiveness of internal
controls.
Rely less on IT or general data analytics staff if internal
auditors can run queries or scripts themselves.
Key Point

Internal audit activities that leverage data analytics better
fulfill their responsibilities to evaluate and improve the
organization’s governance, risk management, and control
processes. They do this by freeing up internal auditor time
due to fewer manual, time-consuming procedures. The
internal audit activity can broaden the scope of its services
when it uses less staff per engagement.
The Vs of Data Analytics

As stated in Data Analytics: Elevating Internal Audit’s Value,
the four Vs of data are volume, velocity, variety, and
veracity. The IIA’s Global Technology Audit Guide (GTAG),
“Understanding and Auditing Big Data” discusses these and
some additional Vs: variability, visualization, and value.
Exhibit 3-18 addresses each of these Vs from the
perspectives of data analytics or big data. While big data
will be defined and discussed shortly, note that it is both a
description of the massive amounts of data organizations
may need to process and analyze as well as systems
capable of making such data into actionable information.
Exhibit 3-18: Vs of Data Analytics and Big Data
V Why It Is Relevant to Data Analytics or

Big Data
Volume Volume is the vast amount of data, which is

significantly greater than it has ever been
due to our ever-increasing abilities to capture
data from the point of sale, surveys, Internet
sources, and so on. This may mean that
analysis needs to take place on servers
(which could also improve security). Volume
also means that internal auditors and other
analysts can now test entire sets of data
rather than sampling. This can reduce audit
risk, save time, and allow unprecedented
insight into operations.
Big Data
Velocity Velocity is the increased number of devices

online and the large amount of collected data
from around the world. Information can be
rapidly gathered from anywhere.
Variety Variety is the numerous types of data being
identified, captured, and stored. This can
include categorizations such as data
formatted for particular software or for a
functional area such as finance.
Veracity Veracity is the truth of the data. Veracity is
key, as data analytics is only as good as the
underlying data. The adage “garbage in,
garbage out” is never more true than in data
analytics, yet veracity is often its most
overlooked aspect. For example, an
erroneous outlier in the source data could
skew results and create a false positive or
false negative result. In other words, without
veracity, organizations risk faulty decisions
and auditors risk material errors and
erroneous recommendations. Controls can
reduce risks of duplicate or incomplete
records, entry errors, logic/formula errors,
data that violates entry field rules, or
otherwise inconsistent data. Investigating
outliers is an example of an audit step for
data preparation.
Big Data
Variability Variability is the wide range of data results

and constant change of data. Variability is
especially prevalent in big data.
Visualization Visualization is the difficulty in providing
easy-to-interpret yet accurate and useful
visualizations of data or analytic results, such
as in graphics and charts. This is also an
issue for big data.
Value Value is the opportunity of data analytics or
big data to create new insights and translate
the insights into actions that create positive
outcomes that benefit organizations,
consumers, and society.
Data Types
While there are many data types at the detail level (this
speaks to the V for variety of data), a broad way to
categorize data types is structured versus unstructured.
Structured data is data formatted for ease of use for

automated or semi-automated analysis, such as into
columns and rows, much like a well-ordered spreadsheet.
This will include data from databases such as functional
area modules in an enterprise resource planning (ERP)
system or an audit software package. The organization of
structured data enables analysts to run repeatable queries
that can be customized to specific objectives. However,
data in different structured formats is often not
compatible without being converted, which can be
straightforward or can require additional steps and custom
software.
Unstructured data is data that has not been formatted

for ease of use for automated or semi-automated analysis
(i.e., data that is not easy to sort or tabulate).
Organizations are storing a vast amount of this type of
data from social media, emails, word-processing
documents, court proceedings, etc.
Big Data
Big data describes the exponential growth and availability
of data created by people, applications, and smart machines
as well as large, complex data sets or unstructured data
that is beyond the capabilities of traditional data-processing
applications. Organizations that invest in the required data
collection, storage, processing power, and analytic tools can
leverage big data for competitive advantage if they also
bolster their data governance and information security
governance (including privacy protection).
Here are some examples of sources of big data:

Internal systems (e.g., transaction data, customer
complaints, email, messaging)
Industry sources (e.g., customer adoption rates per
product)
Society data (e.g., traffic cameras, economic data, social
media)
Nature and weather (e.g., weather trends, earthquake
data)
Data available from external sources (e.g., data sets
available for free use, data sets for purchase or lease such
as market research)
Mobile devices, Internet-connected devices, radio
frequency ID (RFID) tags, etc.
Web searches
Key Point

The internal audit activity may be able to leverage the
acquired, consolidated, and integrated data in the
organization’s big data system for use in data analytic
efforts for audit projects.
Key stakeholders in big data are discussed next, followed by

audits of big data systems.
Big Data Key Stakeholders

Key stakeholders in big data initiatives at organizations
include those listed in Exhibit 3-19.
Exhibit 3-19: Big Data Key Stakeholders
Project sponsor Executive-level resource who drives

support and funding for the program
Business/data Data owners who support data
owners consolidation and integration into one
solution that supports organizational
goals
Business Specialists who maintain knowledge of
analysts business needs and technology
capabilities to transform business
requirements into big data solutions
Consumers (e.g., Any function within the organization that
marketing) consumes data and/or uses the analytic
results, possibly including internal
auditing
Chief Executive resource responsible for
information delivering the technology solution or
officer partnering with external vendors when
big data is outsourced
Chief privacy Executive resources to be consulted on
officer/chief controls related to the security,
information protection, and use of the data and
security officer resulting analytics
Chief data officer Executive resource who directs
enterprise-level data governance
Technical data Can include database administrators,
analytics software developers, technical tools
resources/data administrators, and script writers
analysts
Data scientists Advanced analytics professionals who
understand the technology and business
processes and can develop and support
innovative analytics to drive business
value (e.g., predictive analytics)
Audits of Big Data

The internal audit activity’s role in big data involves
considering big data as an audit universe element during
risk assessment and audit planning and educating the board
on the organization’s big data risks, challenges,
opportunities, benefits, and initiatives. Internal audit activity
coverage of big data is typically addressed using multiple
audits rather than a single large audit. A key part of this role
is assessing the audit risks for big data.
Key Audit Risks for Big Data

The primary risk areas impacting big data include:
Program governance risks.
Technological availability and performance risks.
Security and privacy risks.
Data quality, management, and reporting risks.
Program governance risks relate to lack of appropriate

management support, funding, and/or governance over the
big data program that can expose the organization to undue
risk or failure to meet strategic goals. Controls auditors
could suggest may include:
Reviewing the program’s strategy and objectives for
appropriateness.
Measuring performance versus expectations.
Requiring a proof of concept before full rollout.
Ensuring adequate funding and resources (with clear roles
and responsibilities).
Overseeing internal and third-party systems.
Technological availability and performance risks relate to

poor, untimely, or unavailable systems that could create a
negative customer experience or fail to realize benefits.
Internal auditors may suggest controls such as:
Structuring IT operations to support big data service level
expectations, including following a maintenance and
patch management strategy.
Ensuring that systems are flexible and scalable and have
measurable performance objectives and a regular method
to test actual performance.
Ensuring that systems are procured, built, and/or
configured in alignment with the complexity and demands
documented in the business case.
Security and privacy risks relate to the protection of the

data from unauthorized access, modification, or theft and
noncompliance with regulations such as for privacy. Privacy
is especially important in such systems because the data is
being compiled from multiple sources. Ensuring that only
authorized individuals can view sensitive data is vital.
Internal auditors ensure that:
Big data systems include data, information security
management, and privacy strategies.
Third-party access is properly managed.
Data quality, management, and reporting risks relate to

poor information leading to poor decisions or inaccurate
management reporting. Internal auditors can suggest
controls such as:
Verifying that policies and procedures exist related to
internal data quality, third-party data quality, reporting
accuracy, role-based access, and vendor business
alignment.
Ensuring that report controls allow for flexibility, ad hoc
reporting, and utility (such as by training report users
periodically).
Data and Information Security

Governance
Management and oversight of data and information security
are part of the control environment and impact the
effectiveness of related risk management and control
activities.
Data Governance
Data governance involves the organization’s policies and
procedures, controls, and related information technologies
regarding the collection, use, storage, usability (e.g.,
formatting for ease of use), analysis, deletion, and
safeguarding of data. A shorter definition of data
governance is that it is a way of ensuring and continually
improving data quality. Safeguarding of data includes
ensuring:
Availability (protection from loss).
Integrity (protection from corruption).
Access (role-restricted access to sensitive organizational
or customer data).
Compliance with relevant laws and regulations, such as
for data privacy.
Management will develop, authorize, direct, manage, and

monitor the organization’s data governance policies,
procedures, controls, and information systems to ensure
alignment with the organization’s strategy, objectives,
mission, vision, and ethics statements. Management may be
concerned about ensuring that data analytics enables
confident and timely decision making, that staff work
efficiently and effectively, and data is leveraged to
maximize profit potential.
As with all types of governance, the board and its relevant

committees provide oversight over the organization’s data
governance plans and activities. The board has a fiduciary
responsibility to the organization’s stakeholders and so must
understand their data governance needs. However, data
governance is management’s day-to-day responsibility.
Internal auditors assess the effectiveness of data
governance activities.
For big data, data governance activities include:

Identifying data owners and consumers and ensuring that
owners take responsibility for the quality and security of
their data.
Designating critical data elements and special handling
requirements.
Managing metadata (data about data, such as source
information), master data, and authoritative data sources.
Ensuring that control processes are at the appropriate
level for the sensitivity of the data, include data defect
identification and data loss prevention measures.
Ensuring that systems maintain agility throughout their
life cycles.
Information Security Governance

Implementation Standard 2110.A2 (Assurance
Engagements)
The internal audit activity must assess whether the
information technology governance of the organization
sustains and supports the organization’s strategies and
objectives.
Information security governance is a component of overall

IT governance that relates to both IT operations and IT
projects. Information security governance requires that:
Management promotes good information security
practices with clear direction and understanding at all
levels, controls information security risks, and creates an
information security activity to manage the related
objectives and risk appetite.
The board establishes security policy, defines the
corporate security culture, communicates the business
imperative, and provides oversight over information
security activities.
Staff and line management help design and implement
information security frameworks and activities, define
security requirements, and monitor security controls.
The internal audit activity may provide assurance or other

support (in line with its board-approved charter) in the
following areas:
Assessing the degree to which governance activities and
standards are consistent with the internal audit activity’s
understanding of the organization’s risk appetite
Assurance or consulting work that focuses primarily on
assurance over and continuous improvement of
information security governance practices, policies, roles,
responsibilities, risk appetite alignment, effective
communication, tone at the top, and accountability
Ongoing dialogue with the information security
governance activity to ensure that risks are being
addressed in a timely manner
Auditing information security governance starts with

planning to understand the structure, objectives,
communications, risk appetite, integration within the
organization, and external influences. Audit testing includes
evaluating stakeholder concerns, reporting lines, KPIs
supporting documents, and risk appetite alignment.
Analyzing includes assessments of accountability, design
effectiveness, program effectiveness and efficiency,
resource levels, the clarity of roles, added value, and
continuous improvement.
Topic 2: Data Analytics

Framework and Process
This topic addresses establishing a data analytics
framework. It also looks at the steps in the data analytics
process—defining the questions, obtaining relevant data,
cleaning and normalizing the data, analyzing the data, and
communicating the results.

Data Analytics Framework

An effective data analytics framework should answer
questions such as “What are the top issues facing the
organization?” or “How can the audit add more value?”
Answering these questions allows for developing a
framework that is achievable, aspirational, and identified by
smaller milestones that show the progress to achieving the
long-term objective. When building a data analytics
framework, an entity:
Develops its vision.
Determines how to progress in building data analytics
capabilities, including what steps should be taken to
elevate performance.
Evaluates current capabilities and identifies people,
processes, and technologies to enhance those capabilities.
This can include spending money in two critical areas:
Talent, such as training and staffing
Technology, such as hardware and software
Once the data analytics framework is established, the entity

should progress to implementing and monitoring this new
plan. Implementation should be addressed in stages so as
not to overwhelm current resources. Monitoring has a two-
part role: to gauge the level of adoption from each impacted
department and to act as an independent party to assist
other areas in improving their data analytics. As an
organization’s data analytics framework matures, the
organization’s strategies should also advance to meet those
changes.
Exhibit 3-20 lists some recommendations for establishing a

reliable data analytics framework.
Exhibit 3-20: Data Analytics Framework Recommendations
Aligning Align data analytics strategy with long-term

audit goals and objectives, current audit
plans, and the risk management process.
Keeping end Manage data analytics as a program,
in mind focusing on the desired end state of
maturity.
Ensuring Develop a uniform set of analytics practices
uniformity and procedures across assessment
functions.
Assigning Assign responsibility for data management,
responsibility quality assurance, and other key roles.
Annotating Document and/or comment scripted
analytics to record the intent and context of
the analysis being automated.
Testing Review and test analytics being used to
ensure that the results being generated are
accurate and appropriate for the audit step
being run.
Reviewing Establish a peer review or supervisory
review process to safeguard against the
reliance on results generated using incorrect
logic or formulas.
Standardizing Standardize procedures and tests in a
central and secure repository.
Safeguarding Safeguard source data from modification or
corruption using technology or by analyzing
backup or mirrored data for audit purposes.
Minimizing Address the potential impact of the analysis
impact on production systems, either by scheduling
analysis at off-peak times or by using
backup or mirrored data.
Educating Educate staff on how to interpret the results
of the analysis performed.
Continuously Treat training as a continuous process,
learning measured by ongoing growth and
continuous development of capabilities.
Evolving Aim for constant improvement with
leveraged use of data analysis as it matures.
Source: Global Technology Audit Guide (GTAG) 16, “Data Analysis Technologies.”
Data Analytics Process

Data analytics lets internal auditors focus efforts on areas
identified as needing a higher level of assurance due to
higher risk. A proven process for data analytics uses the
following steps.
Define the questions. The first step is to define the

potential achievements and the anticipated value the data
analyst is trying to attain. One approach to do this is to
develop a question that needs to be answered. For
example, asking “How can we identify where potential
fraud is occurring and what parties are involved?” helps
establish a basis from which multiple sources of data can
be pulled. The internal audit activity should also consider
the use of data analytics for audit planning risk
assessment.
Obtain the data. The next step is information discovery

or obtaining access to the data needed to perform the
analysis. It is important that the auditor gain an
understanding of the data being analyzed to help avoid
making faulty conclusions. For example, data on revenue
by division or product line and/or revenue backlogs by
value and age can be gathered to identify red flags for
revenue-related risks. Getting access to and making the
data usable can be difficult and expensive. CAEs have
identified obtaining data as the greatest challenge in
building data analytics into internal audit activities. An
effective data analytics technology solution could take
one or more of the following forms:
A pull system involves making ad hoc queries and/or
writing reusable query scripts. The goal is to narrow or
broaden the focus of an analysis to suit the question
being asked. Ideally, these tools should be user-friendly
to limit the learning curve and enable broad
participation or at least limit needing to use IT
resources.
A push system sends predetermined data (basically
reports formatted for computer use) out to a repository
for use in queries, scripts, or continuous auditing
software.
Manually maintained data may exist and need to be
gathered. This is the least reliable source of data
because it may lack integrity due to ineffective change
controls, gaps, or errors. If a manually maintained
source of data needs to be used, any automated data
that also exists should form the primary basis for the
analysis.
Cleanse and normalize data. Data cleansing is

identifying and removing duplicate data and identifying
whether identically named data fields from different
systems have identical or different meanings. This is an
especially important step when the data is being compiled
from more than one source. Data normalization is the
process of organizing data in order to reduce the potential
for redundancy and to facilitate the use of the data for
specific purposes. Normalization also allows for the
identification of anomalies, which might represent actual
problems or potential opportunities. If IT must be relied
upon to do this step, there often can be significant delays
before the work is done and, if there are errors, it could
require multiple rounds of effort. Having an auditor on the
team who is skilled in doing data integrity and validity
checks can streamline this process.
Analyze the data. After the data has been cleansed and
normalized, it should be analyzed. The analysis process
used may differ depending on the type of data being
analyzed. A preliminary analysis can provide initial results
and assist in determining if anomalies reflect errors,
violations of company policies, or red flags for fraud.
Targeted, detailed analysis can follow. Once analyzed, all
data should be interpreted:
Have patterns emerged?
Are identified anomalies errors in the feature or system
or process?
Is senior management aware of the feature and its
consequence?
Communicate the results. The final step is to

communicate the results to the board and senior
management. Because data analytics results are often
heavy in numeric and data tables, providing data
visualization and graphical representations are excellent
ways to inform leadership and enhance the decision-
making processes.
Topic 3: Data Analytics in

Internal Auditing
This topic addresses the application of data analytics
methods in internal auditing, including diagnostic,
predictive, network, and text analysis, anomaly detection,
and other methods. It also addresses internal audit maturity
levels for data analytics and some specialized team roles.

Data Analytics in Internal Auditing

Internal audit activities can use data analytics to meet their
auditing objectives. By analyzing data in key organizational
processes, the internal audit activity can detect changes or
vulnerabilities in organizational processes and potential
weaknesses that could expose the organization to undue or
unplanned risk. The internal audit activity can then target
resources to safeguard the organization from excessive risk
and improve audit coverage. The discovery power of data
analytics also helps ensure that the internal audit activity is
auditing today’s risks rather than yesterday’s.
Internal auditors analyze data from multiple sources against

control parameters, business rules, and policies to provide
fact-based assessments of how well automated controls are
operating. Indicators in the data can also provide evidence
of how well semi-automated or manual controls are being
followed. Analysis of 100% of relevant transactions can
identify fraud, errors, inefficiencies, or noncompliance.
Audit-Specific Data Analytics Techniques

Three basic techniques of data analytics that internal audit
activities can use are shown in Exhibit 3-21.
Exhibit 3-21: Data Analytics Techniques
Ad Hoc Repetitive Continuous
Exploratory and Periodic analysis “Always on”

investigative in of processes from scripted auditing
nature multiple data and monitoring of
Seeking sources key processes
documented Seeking to Seeking timely
conclusions and improve the notification of
recommendations efficiency, trends, patterns,
Specific analytic consistency, and and exceptions
queries performed quality of audits Supporting risk
at a point in time Managed assessment and
for the purpose of analytics (scripts) enabling audit
generating audit created by efficiency
report findings specialists and Continual
Example—search deployed from a execution of
for suspicious centralized, automated audit
vendors or secure tests to identify
phantom environment, errors,
employees
Ad Hoc by Repetitive anomalies,
Continuous
comparing patterns, and
accessible to
vendors to exceptions as
appropriate staff
employees they occur
Example— Example—pay
quarterly journal cycle review with
entry analysis of exceptions and
manual and
gaps reported
automated
automatically to
control
a third-party
effectiveness
recovery partner
looking for invalid
users or account
postings,
duplicate or
frequently
reversed entries,
or journal entries
pre- and post-
period close
Source: Global Technology Audit Guide (GTAG) 16, “Data Analysis Technologies.”
Levels of Maturity in Data Analytics

Exhibit 3-22 shows a maturity model for data analytics.
Internal auditors can assess where the internal audit activity
is currently at versus where it wants to get to, taking care to
set realistic goals based in part on available funding and
resources.

Exhibit 3-22: Maturity Model for Data Analytics
Maturity Description
1. Basic Auditors do (usually ad hoc) queries and

analyze data to support a specific audit
objective. Analysis includes statistical
analysis, classifications, and data
summarization. Few audit staff have this
capability. Use is not fully integrated in the
audit cycle.
2. Applied Data analytics are fully integrated into
targeted audit processes and the audit cycle,
including in planning and audit program
design. Auditors develop comprehensive
suites of quality-controlled repetitive tests.
Analytics starts to add real value to efficiency,
assurance, and audit findings. The process is
still decentralized.
3. Data analytics is centrally organized and
Managed controlled in approach and data security. Data,
audit tests, results, audit procedures, and
documentation are in a centralized, structured
repository subject to audit management
review. Even nontechnical audit staff can
access test results. Sharing of data,
repeatable tests, and results reduces
duplication of effort and enables sustainable
maturity even if specialists leave.
Maturity Description
4. Internal audit activities increase automation of

Automated audit tests and use some continuous auditing.
Audit processes start to shift to concurrent,
ongoing monitoring of multiple areas. Data
access protocols exist to authorize automated
analytic tests. Findings from continuous
auditing may not always be translated into
action.
5. A continuous auditing program is fully
Continuous established across multiple areas, and the
internal audit activity regularly produces
reports on control problems and the potential
for fraud, error, and noncompliance. Risk
management processes gain a clearer picture
of risk issues and trends. Management may
also share monitoring responsibilities.
Advancing to higher levels of data analytics maturity often

requires investments in software, but it is equally important
to invest in training and recruitment. CAEs may want to
establish specialist roles in their audit teams to ensure that
any tools will be fully leveraged. Specialist roles may include
the following:
Data specialist. Internal auditor with a detailed
understanding of the organization’s information systems
and how to access data from disparate systems, prepare
the data, and make it available to the team.
Data analytics specialist. Internal auditor who is a
power user of the data analytics software the organization
has provided.
Internal audit leadership and staff auditors need training.

Leaders need to have visibility into what audit steps have
been automated or are dependent on the use of data
analytics software to enable their oversight role. They also
need to have enough skill to review analytics findings across
the team and against audit plan objectives. Staff auditors
need a general understanding of data analytics software
and sufficient competency to:
Interpret the results of automatic analytics routines.
Perform simple analyses (sorting, filtering, grouping, and
profiling).
Document and report on analytical findings.
Types of Data Analytics

Data analytics exists on a continuum from the most
straightforward to the most complex and probabilistic.
Descriptive analysis. A descriptive analysis gathers

information and uses hindsight to identify “what
happened.” This makes it the analysis type with the least
information value, but it is still quite useful for internal
auditing. Uses include:
Data visualization—preparing charts or graphs to ease
understanding or visually presenting two or more data
files in relationship to one another.
Anomaly detection or numeric analysis—identifying the
outliers, exceptions, duplicates, or gaps in a set of data
that require further review. For example, internal
auditors for a utility company used data analytics to
generate automated reports on drivers’ fuel use, and an
exception report was automatically emailed to the
drivers’ managers. This dramatically reduced the
number of weekly exceptions.
Diagnostic analysis. Diagnostic analysis also uses

hindsight and examines specific data or content to
uncover the answer to the question “Why did this
happen?” It commonly uses techniques such as drill-down,
data discovery, data mining, and correlations.
Predictive analysis. Predictive analysis uses insight to

assess “what will happen?”—the probability of an event or
outcome occurring.
Prescriptive analysis. Prescriptive analysis involves the
highest level of difficulty and results in the greatest value.
It uses foresight and optimization to build and test
scenarios around different policies, combining data,
business rules, and mathematical models to determine
what course of action would lead to potential outcomes.
Detecting Anomalies with Data

Analytics
Anomaly detection is a powerful tool that can be leveraged
to find areas of control weaknesses or failures. An anomaly
is a result that deviates enough from expectations that it
warrants further analysis. It can take the form of a result
that is not expected or the absence of an expected result.
An anomaly could be a red flag for fraud; a sign of an input,
processing, or output error; a control failure; or a valid result
that could be studied to provide valuable business
information. Data analytics uses for anomaly detection
included detection and investigation, operational
performance, and internal controls. Other types of data
analytics include network and text analysis. These data
analytics methods are discussed next.
Analytical Techniques for Internal Auditors

Here are some examples of analytical techniques for audit
purposes.
Classification and calculation of statistical parameters
(e.g., averages, standard deviations, highest and lowest
values) to find outliers, patterns, and associations
Stratification to find unusually high or low values
Benford’s Law (see below)
Joining different data sources to identify inappropriately
matching values such as names, addresses, and account
numbers in disparate systems
Duplicate testing to identify simple and/or complex
duplications of payments, payroll, claims, expense report
items, etc.
Gap testing to identify missing numbers in sequential data
Summing values to check control totals
Validating data entry dates and times to identify
inappropriate or suspicious postings
Note that Benford’s Law is an observation that the lower

numerals, such as 1, 2, and 3, in the leading digit of a set of
values occur exponentially more often than the higher
numerals, assuming a few things, including that the
numbers are not part of an identification system. One use is
as a fraud test, such as reviewing payments for an
unusually high number starting with 7, 8, or 9.
Categories of Internal Audit Uses for Data

Analytics
Internal audit most commonly uses data analytics to detect
anomalies in assessments of compliance and operational
performance, fraud detection and investigation, and internal
control analysis.
Compliance uses. Data analytics helps in assessing

whether the data used to determine compliance is sound
or contains quality or integrity issues. Another use is when
evaluating expense reports, purchasing cards, or vendor
invoice line items for trends or anomalies. Data analytics
can also be used to assess regulatory requirements such
as by doing keyword searches.
Fraud detection and investigation uses. Data

analytics can detect “ghost” employees by looking for
gaps in the various records that should exist. The same
can be done to detect fake suppliers or service providers.
Data analytics can create exception reports that are
prioritized by those most likely to result in financial or
reputation risk to the organization. Such systems can also
do root cause analysis after fraud has been detected,
answering questions or providing short lists related to
who, what, where, and when.
Operational performance uses. Data analytics may aid

in the identification of the following types of errors and/or
inefficiencies:
Duplicate payments
Foregone payment discounts or failure to assess late
collection penalties
Slow-moving inventory or inventory held in quantities
that are too high
Cost escalation that is unusual or is not allowed in
contract
Data analytics could also highlight better KPIs or help

areas converge on the best KPIs.
Internal control analysis uses. Data analytics can be

used to analyze proper user access privileges or proper
segregation of duties or whether control performance is
effective.
Data analytics can be applied to specialty applications such

as network and text analysis.
Network analysis. Network analysis refers to the
mathematical analysis of complex work activities in terms
of a network of related activities. This can pertain to the
components and dependencies of all factors within the
network.
Text analysis. Text analysis involves extracting machine-

readable facts from the text of various sources and
creating sets of structured data out of large compilations
of unstructured data. This process dissects the data into
small, manageable data pieces. Corporations can use text
analysis as a starting point for managing content from a
data-driven approach. This assists in automating
processes such as decision making, product development,
marketing optimization, business intelligence, and more.
Data Analysis Software

Here are some capabilities that data analysis software
should enable for internal auditing:
Ability to import, access, join, relate, and compare the

organization’s data sources while preserving data integrity
Ability to analyze entire populations of data

Support for centralized access, processing, and
management of data analysis with controls for information
security
Ability to create comprehensive audit trails:

Creating context for audit findings by recording all of the
commands run by the application, command execution
status messages, and results generated
Enabling peer or supervisory quality review and capture
of forensic evidence by documenting all intermediate
steps used to uncover exceptions so the actions can be
explained, substantiated, and defended
Enabling recall of previous results to see if
recommendations were acted upon
Ability to create scripts:

Enabling intuitive generation of scripts such as by using
a macro or task recorder
Allowing saving and categorizing of prior scripts of audit
tests so the tests can be run again and to ensure
comprehensive coverage
Ability to perform continuous auditing

Ability to scale up to enable specialist use or more mature
internal audit analytical procedures
In addition to these capabilities, a good system will be user-

friendly enough to enable the majority of internal audit staff
to use some functions with a reasonable amount of training.
It should also require minimal IT support for data access or
analysis to ensure auditor independence and to keep
custom interface development and maintenance cost
reasonable.
Section C: Information
Technology and Security


Understand the goals of information security.
Understand the importance and components of IT
general controls.
Explain the purpose of various information security
controls.
Define the use of information security controls.
Recognize data privacy laws.
Define the potential impact data privacy laws have on
data security policies and procedures.
Identify emerging technology practices.
Define the potential impact emerging technology
practices have on security.
Describe existing and emerging cybersecurity risks.
Describe cyber- and information security-related
policies.
Describe the basic process and considerations for IT
auditing.
Recognize the core activities in the systems
development life cycle and its delivery.
Recognize the importance of change and patch
management controls.
Describe the basic purpose of and tools used in common
IT control frameworks.
Recognize the purpose and application of IT control
frameworks.

standards
This section addresses establishing a comprehensive set of

controls to secure the organization’s information systems,
the information within them (including data privacy for
customers and other stakeholders), and the physical spaces
and resources of the organization. This section also
addresses the importance of information technology for
today’s organizations in meeting their objectives. It covers
the reasons internal auditors need to know, at least at a
conceptual level, how systems are developed and
maintained and the role of IT control frameworks.
Topic 1: Information Security

Controls
This topic covers information security and explains the
purpose and use of various information security controls.
Information Security
Information security is the set of policies, processes, and
procedures used to protect the organization’s intellectual
property by ensuring the confidentiality, integrity, and
availability of the organization’s data and information in any
format (electronic, print, or other media).
Confidentiality is enabling only authorized persons to
access or view the information.
Integrity is assurance that the data has not been
improperly altered, is correct, and is reliable.
Availability is ensuring that authorized roles and
individuals have access to the information and information
systems required to perform their duties without
unreasonable outages.
In addition to establishing preventive and detective controls,

information security involves continuously monitoring and
responding to security threats. Information security extends
to the data in storage, processing, and transit.
Information Security Risk Management

Practices
It is not possible to mitigate all information security risks. A
risk management process is needed to manage exposure to
potential information losses.
Information security risk management encompasses the

processes an organization puts into place so that security
controls and expenditures are appropriate and effective at
mitigating risk exposures. The security risk management
process should be appropriate for the organization and its
security objectives and can follow a typical enterprise risk
management format such as is described in Part 1 of these
materials.
The internal audit activity may assess information security

risks using the following techniques and tools:
Analysis of reported incidents. Records can provide
valuable information about potential and actual losses.
Review of exposure statistics. Statistics from

insurance carriers, industry associations, and regulatory
agencies can provide guidance about potential risk
exposures.
Mapping key processes. Developing process maps and

identifying potential risk points provide helpful insights.
Periodic inspections. Health and safety inspections can

surface compliance lapses and also uncover opportunities
to decrease risks.
Periodic process and product audits. Such internal

audits can incorporate specific questions to identify
potential risks.
Assessments of management system effectiveness.

Beyond internal audits conducted to verify conformance to
one or more standards or to assess continual
improvement, this technique can identify gaps in
management systems that expose the organization to
potential losses.
Scenario analysis. Tools such as brainstorming and mind
mapping are effective to identify all the consequences
that could occur in a worst-case scenario.
This list could go on. The point is to do whatever is

necessary to identify and prioritize risks.
Special Information Security Considerations

While the primary monitoring role over information security
(and other areas) is with management rather than internal
audit, internal audit’s role is to periodically monitor the
effectiveness of information security management. This
includes assessing the organization’s information
confidentiality, integrity, and availability practices and
recommending, as appropriate, enhancements to, or
implementation of, new controls and safeguards.
Such assessments can be either conducted as separate

stand-alone engagements or integrated into other audits or
engagements conducted as part of the annual audit plan.
The nature of the engagement will determine the most
appropriate process for reporting to senior management and
the board.
Assessments of information security should start with an
overall assessment of the control environment and any
control frameworks in use. Implementation Guide 2130
notes that:
[The CAE] should first consider the risk appetite,

risk tolerance, and risk culture of the organization.
It is important for internal auditors to understand
the critical risks that could inhibit the organization’s
ability to achieve its objectives, and the controls
that have been implemented to mitigate risks to an
acceptable level.
The CAE determines whether the internal audit activity

possesses or has access to competent audit resources to
evaluate information security and associated risk exposures.
This includes both internal and external risk exposures and
exposures relating to the organization’s relationships with
outside entities. If specialized knowledge and skills are
required, the organization may need to secure external
service providers.
Guidance recommended by The IIA includes specific

responsibilities for the internal audit activity. As
Implementation Guide 2130 further states:
It is important for internal auditors to obtain a
thorough understanding of the control framework(s)
adopted either formally or informally by the
organization and to become familiar with globally
recognized, comprehensive control frameworks.
To fulfill this standard, the CAE determines whether

information integrity breaches and conditions that might
represent a threat to the organization will promptly be made
known to senior management, the board, and the internal
audit activity.
Internal auditors assess the effectiveness of preventive,

detective, and mitigation measures against past attacks, as
appropriate, and future attempts or incidents deemed likely
to occur. They determine whether the board has been
appropriately informed of threats, incidents, vulnerabilities
exploited, and corrective measures.
Determine Disposition of Security Violations

It is reasonable to expect that the internal audit activity will
monitor whether and how well information security
violations are corrected when they are discovered (similar to
corrective action plans in response to internal audits). In
doing so, the focus of the internal auditor should be to
ensure that the root causes of the security violations are
addressed.
Report on Compliance
The internal audit activity can report to management and
the board on the level of compliance with security rules,
significant violations, and their disposition.
With regard to information security, high-level compliance

can be achieved through the implementation of codes of
practice for information security compliance. An example is
ISO/IEC 27002:2013, which:
Focuses on information security controls and establishes
guidelines and general principles for initiating,
implementing, maintaining, and improving information
security management in an organization.
Contains best practices for control objectives and controls
that can be applied by any organization, regardless of size
or industry.
Organizations adopt ISO/IEC 27002 to develop

organizational security standards and effective security
management practices, address legal and regulatory
concerns, and better manage compliance.
IT General Controls
In addition to the application-specific controls discussed
later in these materials, information security relies on
having a comprehensive set of IT general controls.
IT general controls (ITGC) are those IT controls that form

the basis of the IT control environment (a framework for
ensuring comprehensive information security) and apply to
all systems, components, processes, and data for a given
organization or systems environment. The other broad
category of IT controls is application controls, which relate
to a specific application and so are not general. Some ITGCs
are business-related, such as segregation of duties, and
others are technical and relate to the underlying IT
infrastructure.
Information security needs to be a holistic endeavor so that

a strong protection in one area is not simply bypassed in
some other way, such as:
An outside person bypassing external access security by
accessing the network through someone’s computer with
weak protections (or stealing a laptop with sensitive data).
An unscrupulous programmer adding a backdoor into a
computer system during systems development or a
system update.
To help internal auditors understand the context for ITGCs,

Exhibit 3-23 shows how IT general controls as well as
application controls exist to support overall business
functions. Note how ITGCs relate to both applications and
the IT infrastructure services while application controls
relate only to applications.
Exhibit 3-23: Understanding the IT Environment in a

Business Context
The effectiveness of ITGCs is measured by the number of:

Incidents that damage the enterprise’s public reputation.
Systems that do not meet security criteria.
Violations in segregation of duties.
ITGCs are classified in the Global Technology Audit Guide

(GTAG) 1, “Information Technology Risk and Controls,” 2nd
Edition, as follows:
Logical access controls
Systems development life cycle controls
Program change management controls
Physical security controls
Systems data backup and recovery controls
IT operational controls
Of these ITGCs, logical access controls and physical security

controls are not addressed further for The IIA’s Challenge
Exam. Systems development life cycle controls and program
change management controls are addressed elsewhere. IT
operational controls are addressed more next.
IT Operational Controls
IT operational controls are part of ITGCs and include:
IT organizational structure.
Segregation of IT duties.
Financial and budgetary IT controls.
Operational change management.
Operational data security controls.
Security level management.
IT Organizational Structure
Examples of controls that can be built into IT organizational
structure include:
Minimizing the number of users with administrative
privileges.
Using software tools and direct observation by supervisors
to monitor the activities of users with administrative
privileges.
Setting policy guidelines for all employees to take a
certain minimum number of consecutive days off at least
annually, with special emphasis and/or required job
rotations for persons with sensitive roles or access
privileges such as systems controllers.
Segregation of IT Duties
Segregation of IT duties can occur at the ITGC level or the
application level. Segregation of duties at the ITGC level
relates primarily to restrictions to the roles of individuals,
while application-level segregations are primarily automated
controls within systems. Segregation of duties at the ITGC
level includes:
Following the identity and access management (IAM)

principle of allowing access only if the job function
requires it.
Ensuring that initiation, authorization, input, processing,

and validation of data are all done by different individuals
and possibly by different departments.
Ensuring that employees with physical custody of assets

do not have access to the related computer records or
have any other related authorization rights or privileges.
Separating systems development and operations:

Programming and change deployment should be
organizationally and physically separate from users with
access to production systems, and neither should be
able to do the others’ tasks.
Neither should have access to file libraries (a function of
a system librarian) or input/output controls (a function
of the systems controller).
Other segregations include systems analysis and data entry.

Smaller organizations may not have the luxury of this level
of segregation of duties. If this is the case, combined roles
require greater scrutiny. Inadequate segregation of duties
could heighten the potential for fraud, including
misappropriation of assets and fraudulent financial reporting
or statements. It could also result in data tampering and
loss of data privacy.
Financial and Budgetary IT Controls

Management needs to ensure that the sizable investments
in IT development and support are effective in helping meet
organizational objectives and are efficient from a cost-
benefit perspective. Related controls include:
Ensuring that there is a process to justify and approve
software projects or ongoing operations using measurable
metrics such as projected return on investment or
savings.
Monitoring and controlling software projects and
operations against baselines.
Evaluating completed software projects or operational
results against their projected results or baselines to
determine the accuracy of those projections, and
reporting on results.
Operational Change Management
While program change management controls are discussed
elsewhere, some IT organization-level change management
controls are discussed here. Change management controls
at the operations level include:
Reviewing exception reporting and transaction logs.

Separating testing and production environments by formal
data migration processes.
Ensuring that adequate audit trails exist.
Audit trails log the functions performed and the changes

made in a system, including who made the change and
when, for example:
An audit log could show repeated incorrect password
entries to investigate.
Comparisons of users to their activities can highlight
unusual activities.
Use of sensitive or powerful command codes can be
reviewed.
The audit trail is either kept in a separate file or sent to the

system activity log file. It must be secure from as many
users as possible, and access restrictions should be
reviewed.
Preventive maintenance should be performed on hardware
and software systems and on their controls, because doing
so is almost always less expensive than dealing with
problems arising from poor maintenance. An operations
control group should also be formed to monitor the results
of production, including record keeping and balances of
input and output.
Operational Data Security Controls

In addition to controls for the backup of data, organizations
need controls over data as it is being used. In general, data
security must be maintained:
Data policies are enforced through data standards, which

define how things need to be done to meet policy
objectives. Enforced standards keep systems functioning
efficiently and smoothly. Standards should be set for
systems development processes, software configuration,
application controls, data structures, and documentation.
Some controls over data security have already been
mentioned. The following are a few others:
End-user training in the proper use of email and the
Internet is important.
Logical controls should prevent end users from installing
new software.
Applications should be safeguarded by keeping them in
computer program libraries, which should be restricted by
physical and logical access controls.
There should be a secure process for removing of old IT
hardware due to the possibility of sensitive data being on
the drives. This basically means ensuring that deleted files
are really deleted by using special file deletion software or
by physical electromagnetic wiping. This should be done
on hard drives or backup tapes being resold or discarded.
Security Level Management

Not every system needs the highest level of security. The
cost of the security measures should be commensurate with
the level of risk mitigation required, so this requires
customization for the organization.
To determine appropriate network security levels, the

organization assesses its data repositories and physical
security requirements and assigns security risk levels:
The highest-security physical area or data in a database

defines the area’s security level, for example, key projects
such as R&D data would have elevated security.
The availability, integrity, and confidentiality requirements

for each area are assessed.
Once the security level is known, a multi-tiered security

system can be designed, including provisions for physical,
software, program library, and application security.
Information Security Controls

An organization’s data can be one of its most important
assets. As such, information security is critical.
Information security is a management responsibility. This

responsibility includes all the important information of the
organization, regardless of how the information is stored.
The internal audit activity should ensure that:

Management recognizes this responsibility.
The information security function cannot be breached.
Management is aware of any faulty security provisions.
Corrective measures are taken to resolve all information
security problems.
Risk-based and cost-benefit-based preventive, detective,
and corrective controls are in place to ensure information
security.
IT general controls and application controls such as

passwords and privileges are the basis for information
security. Information security needs to focus on both data
and infrastructure.
Data security should ensure that only authorized users
can access a system, their access is restricted by user
role, unauthorized access is denied, and all changes to
computer systems are logged to provide an audit trail.
Security infrastructure can be part of end-user
applications, and/or it can be integral to servers and
mainframes, called security software.
When the focus on security is primarily at the
application level, such as for small environments, user
and role-based access controls are generally strong but
controls over expert programmers often tend to be
weak.
Security software resides at the server, client, or
mainframe level and provides enhanced security for key
applications, such as wire transfer software.
Errors introduced into a computer system can be just as

costly as malicious attacks. One key control that will help is
setting a clear policy on the use of hardware and software
and training personnel to address the most common errors.
The policy should also address ethics, such as computers
being used for personal activities or illegal acts.
Encryption
Encryption uses a mathematical algorithm to scramble
data. The data cannot be unscrambled without a numeric
key code, which can be designated as a public key (able to
encrypt but not decrypt messages) or a private key (able to
both encrypt and decrypt messages). Public keys add a
layer of security because the private key does not need to
be distributed. Encryption is used on stored data, physically
transmitted data (e.g., on a flash drive), and electronically
transmitted data. Server access control is the use of
internally encrypted passwords to keep technical persons
from browsing password files. Wireless data can also be
encrypted to prevent compromise if it is intercepted.
Key Point

While there are various forms and levels of encryption, the
key point is that organizations wishing to maintain good
encryption may need to avoid the “easy” routes and
commit to a level of investment and effort sufficient for the
targeted level of security.
The relative security of a key is determined by its bit length.

When passwords are used to create keys, effective
password creation rules must be applied. External aids
include cryptographic module testing (CMT) labs and
validation programs for cryptographic modules and their
algorithms.
Digital signatures verify the authenticity of a public key user

(including non-repudiation) and the integrity of the message
itself. A server certificate can establish the authenticity of a
site.
Auditing Issues
Evaluating encryption includes evaluating physical controls
over computers that have password keys, testing policies to
see if they are being followed, and implementing and
monitoring logic controls. Protection of private keys from
disclosure to outside parties is paramount. Each security
domain should be able to share its local identity and
security data without compromising its internal directories.
Firewalls
Perpetually available broadband connections need constant
monitoring. A firewall is a hardware/software combination
through which all communications to or from the outside
world are routed. The firewall compares access rules
(controlled by network administrators) against the IP
addresses, names, files, and applications attempting to
enter the system and blocks unauthorized traffic. Firewalls
can:
Improve security by blocking access from certain servers
or applications.
Reduce vulnerability to external attacks (e.g., through
viruses) and ensure IT system efficiency by limiting user
access to certain sites.
Provide a means of monitoring communication and
detecting external intrusions (through intrusion detection
systems, described below) and internal sabotage.
Provide encryption internally (within an enterprise).
Corporate firewalls are often multi-tiered:
A firewall is placed before the web server and any other
public access servers.
A firewall is placed between the public access servers and
the private network areas.
Additional firewalls can be used to protect sensitive data
such as payroll.
An organization’s firewalls should be installed on dedicated

hardware that has no unnecessary software. Internal
auditors verify that firewalls are located in front of critical
systems and are configured to restrict workstation
connection to only those authorized.
The location of a firewall can create a DMZ. DMZs (from

military jargon for “demilitarized zones”) are portions of a
network that are not part of either the Internet or the
internal network, such as between the Internet access
router and the host. If the access router has an access
control list, it creates a DMZ that allows only recognized
traffic to contact the host.
Auditors need to determine if firewalls can be bypassed or

the controls overridden by alternative transactions. User
prompts for allow/deny communications can be the most
risky. Auditors should work with the network administrator
to determine the efficacy of a firewall, how specific its rules
are, and whether the lists of acceptable users, IP addresses,
and applications are kept up-to-date such as by promptly
removing terminated employees. Because a firewall is a
chokepoint, it can be used to audit controls or trace the
source of an incoming attack. Firewall logs could be used as
legal audit evidence if the data was collected, processed,
and retained properly.
A firewall has limitations, for example:

Data can still be stolen via USB flash drive or use of a
persona modem on a voice line.
Employees or visitors could have a conflict of interest
(industrial espionage), or they could simply be gullible and
“help” someone by providing access.
Firewalls can be configured incorrectly.
Auditors should assume that firewalls are always being

probed for weaknesses and that they cannot prevent all
attacks.
Intrusion Detection/Prevention Systems

Browsers process so much data that firewalls alone may not
be sufficient. Intrusion detection/prevention systems
monitor systems for intrusions from browsers.
Types of these systems include the following:

An intrusion detection system (IDS) combined with a
firewall is called an intrusion prevention system (IPS).
Host IPS (HIPS) software can detect and block abnormal
application behavior before it executes by assuming that
abnormal behavior is an unknown form of attack.
Network IPS (NIPS) are hardware and software systems on
a network that analyze incoming packet content, dropping
malicious packets.
These systems usually are more conservative than other

types of firewalls and provide more detailed reports.
Antivirus Software
Antivirus software exists to block known cybersecurity
threats. This type of preventive control is effective only if it
is regularly updated to address emerging threats.
Topic 2: Data Privacy and

Security
This topic helps internal auditors recognize the potential
impact of data privacy laws on data security policies,
practices, and controls. The topic also addresses auditing
privacy risks.

Practice Guide, “Auditing Privacy Risks,” 2nd Edition
Data Privacy
Privacy is essentially the right to be left alone and to be
free from surveillance by individuals, organizations, or the
government. Data privacy is the individual’s right to have
a voice in how his or her personally identifiable information
is collected, handled, and used, to control who has access to
that information, and to amend, change, or delete the
information. The “Auditing Smart Devices” Global
Technology Audit Guide cites the following U.S. Department
of Labor definition of personally identifiable information
(PII):
Any representation of information that permits the

identity of an individual to whom the information
applies to be reasonably inferred by either direct or
indirect means. Further PII is defined as
information:
(i) that directly identifies an individual (e.g., name,
address, social security number or other
identifying number or code, telephone number,
email address, etc.) or
(ii) by which an agency intends to identify specific
individuals in conjunction with other data elements
(e.g., indirect information). These data elements
may include a combination of gender, race, birth
date, geographic indicator, and other descriptors.
Additionally, information permitting the physical or
online contacting of a specific individual is the
same as personally identifiable information. This
information can be maintained in either paper,
electronic, or other media.
Photographs and biometric identifiers are other examples of

PII, as is behavioral information, for example, in a customer
relationship management system.
Adherence to data privacy laws and regulations requires

having robust data security policies and practices, because
such laws specify the need to properly secure all end-user
and customer data. Also, many laws and regulations have
specific provisions related to “sensitive information,” and
they may define what is meant by this term in different
ways. Exhibit 3-24 shows examples of various types of
sensitive information. (These are just examples; a review of
applicable regulations is needed to determine what each
given regulation considers sensitive.)
Exhibit 3-24: Sensitive Information
Sensitive Medical records

health Health plan beneficiary information
information Physical or mental health information
Provided health services or information
collected during visits
Sensitive Account numbers (e.g., bank accounts,
financial credit card numbers)
information Financial history
Salary information
Other Racial or ethnic origin
sensitive Religious or philosophical beliefs
information Political opinions
Trade union membership
Legal proceedings and civil actions
Combinations of certain information
IT can make invasions of privacy easy and inexpensive. Any

transaction entered into an information system, from simple
purchases to medical records, can be stored indefinitely and
potentially used for marketing or crime fighting as well as
for illegal activities such as blackmail.
Privacy is an issue for corporate data, employees, and

customers. Corporate data must be safeguarded for a
business to stay viable. Employees and their employers are
in conflict on privacy, because organizations want to both
protect their interests and guard against improper activity,
while employees want to feel that they have a measure of
privacy at work. Software can log websites visited and track
every keystroke a user makes.
Higher levels of monitoring can provide control but at the

possible price of lower morale. Clear communication of the
privacy policy will help with morale. The policy should
inform employees what is and isn’t monitored as well as
what is expected of them, such as using the Internet only
for specific activities. Logical controls over possible sites
that can be visited can reduce the need to monitor
employee activities.
Data Privacy Laws and Frameworks

The privacy laws in Europe and in the United States,
Canada, and other countries are based in part on fair
information practices (FIPs). FIPs acknowledge that the
parties in a transaction have obligations to each other.
Individuals have rights to privacy but need to prove their
identity; organizations have responsibilities over the
collection and use of information. FIPs include:
Notice. Prior to collecting data, websites must disclose

who is collecting the data, its uses, other recipients, what
is voluntary, and what will be done to protect the data.
Choice. Consumers should be able to choose how the

information is used outside of support for the current
transaction.
Access. Consumers should be able to access and modify

their personal information without great expense or
hardship.
Security. Data collectors must ensure that they have

adequate data controls.
Enforcement. FIPs must be enforced via self-regulation,

legislation giving recourse rights to consumers, and other
laws.
A number of laws exist to protect privacy against
government intrusion, such as the Canadian Privacy Act,
which sets rules for the government’s ability to collect and
use information about its citizens. Fewer regulations apply
to the private sector, and self-regulation is the general
tendency. Because many nations have privacy laws that
may differ considerably, the Organisation for Economic
Cooperation and Development (OECD) and similar
organizations are working to create consistency in privacy
laws and laws on the transborder flow of information.
Key Point

While many countries (and even some regions, such as
California in the United States) have privacy laws or
regulations, the best way to study for the exam is to learn
the principles behind these laws since they share many
principles.
In the European Union (EU), the General Data Protection

Regulation (GDPR) is a binding regulation. The GDPR obliges
EU member states to protect the fundamental rights and
freedoms of persons, in particular their right to personal
data privacy. Much like the FIPs described above, the GDPR
gives individuals the right to:
Be informed of how organizations are using their personal
data (i.e., a privacy policy).
Access their personal data.
Rectify incorrect information.
Be forgotten. (Individuals can request deletion of their
personal information.)
Have data portability. (Individuals can request a copy of
their personal information.)
Object or opt out of future data collection at any time.
While this is an EU regulation, any organization in any part

of the world that collects or holds the personal data of
persons residing in the EU will need to have policies,
procedures, and IT systems in place as appropriate. Many
organizations who do business globally have welcomed the
GDPR as a gold standard for privacy that may prevent
needing to instead comply with a patchwork of national
regulations. Organizations should seek advice from legal
counsel when developing or adopting a privacy framework.
Key Point

Organizations with a global footprint often use the most
stringent data privacy regulation as a base standard for
their operations in all countries to limit risk. Many
organizations use the GDPR as this standard because
noncompliance could put them out of business.
There may be nuances to data privacy depending on the

organization’s business sector.
Public sector. Governments collect PII in a vast number
of areas, for example, real estate, voter registration,
taxation, welfare, and law enforcement. Compliance
requirements may be specific to different levels of public
entities. The risk of files being misused, lost, or stolen is
high. There may be rules or laws that prevent (or permit,
given an approval process) one agency from comparing PII
with others, called data matching (e.g., law enforcement
reviewing driver databases).
Social services. Government agencies are subject to
specific compliance requirements, but other institutions
such as churches may be exempt from general legal
frameworks, which could lead to lax privacy controls.
Financial services. Many regulations and active
supervisory bodies exist due to the sensitivity of PII such
as credit history.
Marketing, retail, and social media. PII includes
address lists, consumer profiles, financial information,
purchase history, personal preferences, and so on. Such
information may be bought or sold. Sector associations
offer codes of conduct.
Utilities, transportation, and travel. PII is collected at
tollways and parking areas and in traffic systems.
Health care and research. Sensitive patient information
is highly regulated. One example of a private-sector law is
the U.S. Health Insurance Portability and Accountability
Act (HIPAA), which governs the disclosure of medical
records. It applies to health plans, health-care
clearinghouses, health-care providers, and employers.
International business. Many laws and regulations
require that PII not leave the regulated zone of a country.
These rules address the concern of loss of control when PII
is transferred to another jurisdiction (which may not
respect other nations’ laws).
Data Privacy Controls

Data privacy controls can mitigate the risks of potential
misuse, leaks, or loss of PII. Benefits of good data privacy
controls include:
Public image and brand protection.
Customer, employee, donor, and business partner PII
protection.
Credibility, confidence, and goodwill leading to
Compliance.
Fundamental controls for data security include ensuring

adequate governance and oversight by the board and
management. Another general control example is
benchmarking the organization’s privacy compliance and
data-handling practices and weaknesses against
international policies, laws, regulations, and best practices.
Here are some additional elements of an effective privacy
program:
Clear roles and responsibilities
Privacy statement/notice
Written policies and procedures for the collection, use,
disclosure, retention, and disposal of PII
Information security practices, incident response plans,
and corrective action plans
Training and education of employees
Privacy risk assessments and maturity models
Monitoring, auditing, and compliance with privacy laws
and regulations
Inventory of the types and uses of PII
Controls over service providers (outsourcing)
Ethics in Data Storage

Data storage can become an ethical issue. Data needs to be
safeguarded per data privacy policies, regulations, etc.
However, it may also need to be protected from deletion for
audits or evidence of compliance. Electronic data such as
emails are considered legal evidence (in the United States,
this is covered under the Federal Rules of Evidence), and
some companies have received large fines for denying
access to or deleting such evidence. Internal auditors need
to develop an awareness of these and other ethical
implications when providing assurance or consulting on data
storage or deletion policies.
Data Security Practices

Sustaining privacy practices can be challenging. IT
advancements and outsourcing trends are making it difficult
to determine where data is stored, how it is protected, who
has access to it, and whether it is disposed securely. This
evolution has outpaced legal frameworks and industry
standards. Such inconsistency and uncertainty creates
assurance risk. CAEs can ask questions such as the
following related to data security practices:
Does a board committee exist to consider risk appetite
related to privacy risk?
What is management’s privacy risk appetite?
What are the current or likely forthcoming applicable
privacy laws and regulations?
What PII does the organization collect, who defines what is
private, and are the definitions consistent or appropriate?
Does the organization have privacy procedures and
programs with defined responsibilities and accountabilities
and sufficient resources to be effective?
Does the organization know where all personal
information is stored and who has access?
How is PII protected at the database, network, system
platform, application, and business process layers?
Is any PII disclosed to or processed by third parties?
Do employees receive privacy awareness training specific
to their responsibilities?
Does management periodically assess program
effectiveness and need for meeting new requirements?
Auditing Data Privacy
Data privacy audits can help with compliance, including
measuring and improving compliance with the
organization’s data protection system. Audits can also
identify potential inconsistencies between policies and
actual practices, which can help provide assurance over
reputation risks or help ensure that privacy response
procedures are effective. An audit can be used as a tool to
raise the level of data protection awareness among
management and staff.
Internal auditors look for data privacy risks in three basic

categories, as shown in Exhibit 3-25.
Exhibit 3-25: Threats to Organizations, Stakeholders, and

Individuals
Threats to Privacy breaches can get significant

organizations attention from the press, supervisory
authorities, and privacy watchdogs. An
organization could fail to achieve its
objectives and could experience
operational disruptions, inefficiency, or
reputation damage, with severe financial
impacts. Specific control weaknesses
when processing PII include:
Excessive collection.
Incomplete or outdated information.
Damaged data.
Inadequate access controls.
Excessive sharing.
Incorrect processing.
Inadequate use.
Undue disclosure.
Undue retention.
Threats to While excessive privacy practices can
stakeholders hinder efficiency and thus investor
returns, risks of damaged reputation and
litigation usually outweigh this
consideration.
Threats to Individuals may be victims of identity
individuals theft, bear extra cost, experience
discrimination, or have limited control
over their PII. For example, data
submitted for a job application could be
used for intrusive, unfair, unreliable, or
adverse purposes.
Evaluating the Organization’s Data Privacy

Framework
Internal audit determines whether a data privacy framework
exists and evaluates the framework to ensure that the board
has set a risk appetite related to privacy risks and that the
framework is effective in identifying and addressing
significant risks. Internal auditors may need to work with
other parties to understand the context of security policies
and guidelines for both internal use and those
communicated to customers, including:
Legal counsel, to identify other steps that should be
performed.
Privacy professionals, to help internal auditors develop an
understanding of data privacy framework maturity.
IT specialists, to help create a process map of information
flows, system controls, and the PII life cycle, including
incident response programs.
Internal auditors also need to determine how the framework

and related policies classify organizational data and
evaluate whether the levels of classification and related
controls are appropriate. Classifications are usually based
on the level of harm a data breach or misuse could cause
and/or the regulatory penalties for noncompliance. Another
area of review is whether the framework has a privacy
incident response plan and related templates.
Assessing Risk
Categories of privacy risk include the following:
Legal and organizational risk. Internal auditors ensure
that relevant privacy laws and other regulations are
communicated to clearly designated responsible parties.
Personnel are told what is expected of them and what
the individual and organizational penalties are for
noncompliance.
Auditors assess personnel competency levels and
whether they have a process to keep current with new
laws, regulations, and technologies (e.g., cloud
computing).
Proof of compliance is required, not just compliance, so
documentation must be addressed.
Auditors determine if management is spending too
much on privacy controls (e.g., expensive encryption for
routine data).
Infrastructure risk. PII processing steps may include

paper or online forms, data entry, or fully automated
steps. Each time PII moves and changes format, new
vulnerabilities to confidentiality, integrity, and availability
of data occur. Internal auditors should trace PII in
operations as well as in backup storage, such as by
reviewing encryption in storage and in transit. Controls
include:
Paper shredders, locked files, or other physical controls.
IT general controls and application controls.
Each platform or technology should have a data map and

inventory of all PII, including transfers to third parties.
Application risk. Evaluating software involves reviewing

privacy risk assessments and whether there is “privacy by
design,” such as use of data classification standards,
defaults to least privileges to user access, or external
interface authorization limits.
Business process risk. PII needs to be used for its

legitimate business process purposes, and this creates a
risk that it will be at risk at person’s desks in printed form
and so on. Discretion should be used in areas open to the
public, and basic controls should exist, such as clean
desks or timed locking of computers not in use.
Topic 3: Emerging Technology

This topic helps internal auditors recognize emerging
technology practices and their impact on security. Such
practices include bring your own device (BYOD), smart
devices, and the Internet of things (IoT).

Global Technology Audit Guide (GTAG), “Auditing Smart
Devices: An Internal Auditor’s Guide to Understanding
and Auditing Smart Devices”
Emerging Technology
Technology is constantly advancing, as is the rate and
variety of malicious attacks. How to keep up with new
technology and get ahead of threats? A good place to start
is to provide assurance regarding IT general controls
including physical security, logical access controls, and
operational controls.
But what other practices can be used?
The Internet of things (IoT) refers to a system of

interrelated physical devices around the world connected
to the Internet, collecting and sharing data. It allows for
the transfer of data over a network independently without
human action. IoT has emerged to allow machine-
generated data to be analyzed for insights to drive
improvements.
The benefits of IoT to businesses are that it allows more
access to data about an organization’s products and
internal systems and a greater ability to make changes as
a result, such as pushing out new security updates.
However, this raises new concerns about data privacy and
security. The increase in connected devices gives
cybercriminals more entry points and leaves sensitive
information vulnerable. Establishing a standardized
security protocol to address the scope and diversity of
devices is a central challenge.
Hardware authentication incorporates authentication

into a user’s hardware. An end user may be required to
enter a code sent to their mobile device in order to
achieve authentication. This can be combined with other
forms of authentication.
User-behavior analytics operates on the premise that

by identifying activity that does not fit within the normal
routine of an employee, IT can identify a malicious
attacker posing as an employee.
Data loss prevention ensures that end users do not

send sensitive or critical data outside their corporate
network. The key to successful data loss prevention is
technology such as encryption and tokenization, which
can provide data protection down to a subfield level.
Machine learning and artificial intelligence can be

used to automate certain protocols or detect trends in big
data. Rather than looking at the end user only, these
systems can also distinguish between good and bad
software and provide an advanced threat detection and
elimination solution.
Cloud computing security refers to controls,

technologies, and policies in place to protect data,
applications, and the infrastructure of cloud computing.
Cloud security architecture can use numerous controls,
such as deterrents, prevention, and detective and
corrective controls to safeguard potential system
weaknesses. In addition, cloud access security brokers
(CASBs) provide software that aligns itself between end
users and the cloud applications to monitor activity and
enforce security policies. ISO 27017 focuses on the
protection of information in cloud-based services.
Smart Devices
Smart devices enable working in a truly mobile way.
Examples include cell phones, tablets, wearable devices
(e.g., watches, glasses), and specialized devices such as for
warehouse picking. Smart devices have operating systems,
data storage, and security mechanisms, and they connect to
cellular and/or Wi-Fi networks for data, voice, and/or video.
They may include GPS or specialized sensors such as for
radio frequency identification (RFID).
Internal auditors may need to audit the security impact of

smart devices as well as related systems that may be under
the control of third parties. Understanding the business
context will help internal auditors determine the real
business needs for smart devices, which could highlight
opportunities for business advantage or a lack of real need
(i.e., too much risk, too little reward). A risk assessment will
help determine the engagement’s objectives and scope and
required resources as well as the relevant risk and controls
that the internal audit activity should recommend.
A key issue around the security impact of smart devices is a

bring-your-own-device (BYOD) policy. A BYOD policy relates
to whether or not an employee or contractor can (or is
required to) bring their own laptop or mobile device to the
workplace and use it for work purposes. Note that
prohibitions on laptops or tablets might be enforceable so
long as a suitable device is provided to the employee or
contractor, but prohibitions on mobile phones would be
feasible only in very high security environments.
Smart Device Risks

Smart devices face risks in a number of categories.
Compliance risks. The variety and number of smart

devices creates a risk of organizational smart devices
failing to be regularly updated per policies and
procedures. BYOD update risks are even higher, since the
organization may not control updates. For example, a
person could avoid updates due to performance concerns.
Privacy risks. Personally identifiable information (PII) is

stored on smart devices. Also, the organization could use
smart devices to monitor its employees. BYOD practices
and devices of vendors, guests, or visitors increase the
risks to PII compromise.
Physical security risks. Small devices are at risk of loss,

breakage, or theft.
Information security risks. Data on smart devices could

be accessed if left unencrypted. Backups may not be
performed. Controls built into operating systems (OS)
could be bypassed to enable prohibited software to be
installed that could contain malware; this is called
“jailbreaking” for the Apple OS and “rooting” for the
Android OS. Note that either practice can prevent remote
wiping of the memory (a control). Persons on
organizational or BYOD devices could join untrusted
networks and their devices could be hijacked. GPS could
be used for tracking or nefarious uses.
Smart Device Controls

A general smart device control is an acceptable use policy
with a clear indication of penalties for noncompliance. This
can include a mandate for all organizational and BYOD
devices to have up-to-date anti-malware software installed,
to keep the OS updated, to use only official app stores, and
to not do jailbreaking/rooting. End users need to be
educated on weak versus strong passwords or other forms
of authentication. Basic security training for organizational
or BYOD devices can be provided, such as promptly
reporting thefts or ensuring that user devices have user
authentication turned on in case the device is stolen.
BYOD policies should require an employee signature and
may include:
What devices are allowed and the individual’s
maintenance responsibilities.
Policies on downloading, use, and transmission of
organizational data, with specific prohibitions for sensitive
data.
Minimum security requirements.
Backup policies, including if home backups are allowed.
(Home backups could be prohibited to maintain U.S. HIPAA
compliance.)
Enabling remote wiping (for stolen devices) or possibly
mobile device management (MDM) for remote software
updating, monitoring, etc.
Selling, discarding, or sending in for maintenance policy
(e.g., proper wiping of memory).
Requirements to use a virtual private network (VPN) and
not use Wi-Fi networks if a VPN exists.
Controls also exist at the hardware and software levels.

Authentication controls need to be in place. Devices that
have hardware encryption (which encrypts all data and apps
when not in use) can be selected. Software encryption is a
must. Some devices also support encryption in transit.
Topic 4: Cybersecurity Risks
This topic helps internal auditors recognize existing and
emerging cybersecurity risks, including hacking, piracy,
tampering, ransomware attacks, phishing attacks, and
more.

Global Technology Audit Guide (GTAG), “Assessing
Cybersecurity Risk: Roles of the Three Lines of
Defense”
Global Technology Audit Guide, “Auditing Insider
Threat Programs”
Technology Risk and Controls,” 2nd Edition
Cybersecurity Risks
Cybersecurity, also referred to as computer or IT security,
is the protection of computers, networks, programs, and
data from attack, unauthorized access, damage, change, or
destruction. Cyber risks (or cyber threats) involve persons or
entities that seek unauthorized access to a system,
network, or device, either remotely or via inside access. A
hacker is a person who accesses systems and information,
often illegally and without authorization. Unethical
organizations employ hackers to perform industrial
espionage. Hackers could harm the organization’s
employees, contractors, customers, and other stakeholders
and its competitive advantage. They could cause direct
monetary loss as well as reputation damage if certain
information were made public.
Cybercrime is a growing area of organized crime. Profit is

the motive. Organized crime organizations may have large-
scale operations in certain nations that suffer from poor
enforcement or graft and corruption.
There are generally three main types of computer crime:

Those where the computer is the target of a crime
Those where the computer is used as an instrument of a
crime
Those where the computer is not necessary to commit the
crime, but it is used to make committing the crime faster,
to process more information, or make the crime more
difficult to identify and trace
Two other sources of cybersecurity risks are insiders and
service providers, especially service providers who develop
substandard offerings that have security vulnerabilities or
who do not promptly patch known vulnerabilities. Aside from
negligence, insiders and service providers could use their
inside knowledge and access to take advantage of inside
information to perpetrate or conceal fraud.
Malware
Malware is malicious software designed to gain access to a
computer system without the owner’s permission for the
purpose of controlling or damaging the system or stealing
data. The types of attacks that are increasing are
ransomware (see below), attacks that gain unrestricted
access to user systems and data, and attacks that gather
network passwords and financial data. Zero-day attacks use
malware that is not yet known by the anti-malware software
companies.
The number and frequency of network attacks is increasing,

sometimes with several versions of the same type of
malware appearing in one day. Antivirus vendors have
resorted to hourly updates. The antivirus industry rapid
response system is challenged by criminals who have their
own structure to develop new threats and to scan for and
infect vulnerable systems.
Types of malware include the following:
VirWare. VirWare includes viruses, worms, and

ransomware.
A virus attaches itself to storage media, documents, or
executable files and is spread when the files are shared
with others. One type is a macro virus, which uses the
macro function of software such as Microsoft Word® to
create executable code. In response, Microsoft created
file extensions (e.g., .xlsx—no macros, .xlsm—macros
allowed).
Worms are self-replicating malware that can disrupt
networks or computers. Unlike a virus, a worm does not
attach itself to an existing program or to code. It
spreads by sending copies of itself throughout a
network. Worms may act to open holes in network
security or trigger a denial-of-service attack (see below).
With ransomware, software encrypts all files on a
computer or network and the criminal sends the user a
demand indicating that the encryption key won’t be
released unless a payment is made quickly, usually
through a cryptocurrency. Avenues of attack include
links or attachments in unsolicited emails as well as
malvertising, or malicious advertising on websites that
can direct users to criminal servers even if the user
never clicks on an ad. Ad-blocking software is a partial
defense.
Instant message (IM) worms, worms for mobile devices,

and net-worms have been increasing because they don’t
need to rely on users opening email. Email worms have
been decreasing, partly due to the rapid response system
and improved antivirus software. Cybercriminals have
shifted to using more Trojan horses.
Trojan horses. Trojan horses are malicious programs

disguised to be innocuous or useful using social
engineering. Social engineering is a set of rhetorical
techniques used to make fraudulent messages seem
inviting; it is initiated through deceptive emails, instant
messages, or phone contact. A key control is to educate
users to initiate all contact themselves (i.e., don’t click on
an email link; go to the site directly). Once installed,
Trojan horses can install more harmful software, such as
spyware. Spyware is malware installed without the user’s
knowledge to surreptitiously transmit data to an
unauthorized third party. Trojan horses are smaller and
easier to transmit and cheaper to develop because they
do not need to be capable of self-delivery. Trojan horses
include the following.
Trojan-clickers require clicking on a hyperlink.
Banker programs steal bank account data.
Root kits are tools installed at the root (administrator)
level.
Trojan-proxies use an infected computer as a proxy.
Other malware.
Adware is malware intended to provide undesired
marketing and advertising, including pop-ups and
banners on a user’s screen.
A key logger records keystrokes to steal passwords,
etc.
A dialer automatically dials a 900 number (a high-fee
line) to generate huge debts.
Other external threats.

Phishing is creating a website that appears identical to
an organization’s site and then luring the organization’s
users to that site through social engineering to capture
IDs, passwords, government IDs, etc.
An evil twin is a Wi-Fi network operated by a
cybercriminal that mirrors a legitimate network.
Identity theft is the illegal use of sensitive information
to impersonate an individual over computer networks in
order to defraud the person or commit a crime without
the perpetrator’s true identity being known. The human-
to-browser phase of transactions is where most identity
theft occurs, not in the space between browser and web
server. Most of the problem is due to poor password
controls and social engineering.
Piggybacking is either physically following someone
through a secure door or using someone’s legitimate
password to access a network.
A denial-of-service attack is designed to take up so
much of a shared resource that none of the resource is
left for other users.
Internal threats: illegal program alterations.

Hackers, or more likely, malicious insiders with
programming privileges, can alter the code of programs,
usually to perpetrate fraud or theft. The following are
examples of such data manipulation techniques:
Asynchronous attacks cause an initial system action
and then a subsequent system reaction. For example,
after a system has been shut down and before it
restarts automatically, changes may be made to the
restart parameters to weaken security.
Data diddling is intentionally manipulating data in a
system.
Data hiding is manipulation of file names or extensions
or other tricks to hide a file so that it can be
manipulated (e.g., hiding an audit log).
Backdoors can bypass normal authentication and be
installed by direct code manipulation (or by Trojan
horses).
Server/mainframe malware. Attacks on mainframes are

rare because of the specific knowledge needed for a
particular mainframe. Nevertheless, publicly available
servers connected to the web are assumed to be under a
constant barrage of attacks.
Server attacks start by attempting to gain low-security

access followed by an attempt to elevate the security
level. Once inside, changes include hiding tracks, stealing
data, and breaking or taking control of the system.
Microsoft servers have security issues that are regularly

patched and publicly announced, but hackers will exploit
systems that aren’t updated. In addition to system
attacks, publicly available servers can be attacked
through their applications. For example, an intranet server
might use a distributed application to allow employees to
check customer data. Hackers find flaws in such
applications.
Exhibit 3-26 provides a summary of the types of malware

just discussed.
Exhibit 3-26: Malware Summary
Virware Other external

Viruses threats
Worms Phishing
Ransomware Evil twins
Trojan horses Identity theft
Trojan-clickers Piggybacking
Banker programs Denial-of-service
Root kits attacks
Trojan-proxies Internal threats:
Other malware illegal program
Adware alterations
Key loggers Asynchronous
Dialers attacks
Data diddling
Data hiding
Backdoors
Server/mainframe
malware
Protecting Systems from Malicious Software

and Computer Crime
All operating systems contain bugs that create
vulnerabilities and affect overall system performance. The
use of homogenous operating systems allows wide-scale
exploitation of bugs. Controls include:
Frequent updates and patches to operating systems.
Running systems with administrative privileges turned off.
Operating systems that restrict rights given to code, such
as use of a virtual area or sandbox, which fixes a security
flaw of over-privileged code (when systems allow any
code executed on a system to receive all rights of the
system user).
Antivirus software maintains lists of known viruses and

prevents them from being installed or helps recover a
computer once a virus is removed. Such software scans
both incoming and outgoing data. Automated downloads
and regularly scheduled scans are important controls to
keep such systems up to date. Some antivirus programs use
nature-based models that look for any unusual code and can
detect new viruses. Policies can also help, such as allowing
downloads only from reputable locations with security seals.
Other tools include blockers for spyware, spam, macros, and
pop-ups.
One method of self-protection from malware in general is to

follow a minimum set of agreed-upon controls, called
baseline controls. One example is the VISA® Cardholder
Information Security Program (CISP), which has made a set
of security guidance rules available to credit card network
users. This advice, called the “Digital Dozen,” can be found
in the Global Technology Audit Guide (GTAG) 1, “Information
Technology Risk and Controls,” 2nd Edition.
Other controls include taking sensitive information offline

and performing background checks on new employees and
users with security clearance. Browsers contain phishing
filters, which send data to the browser manufacturer for
validation.
Controls associated with proper user identification and

authentication of identity are critical. Authentication
mechanisms must be secured and assessed. Users must be
aware of the dangers of sharing or not securing passwords
or creating weak passwords.
Externally Stored Data and Third-Party

Cybersecurity Risk
When data is stored external to the organization, such as in
a third-party cloud, it is vital for the organization to ensure
that vendors are properly managing relevant risks. Critical
steps for management to take include due diligence and
strong contracts that require:
Service organization control (SOC) reports.
Right-to-audit clauses, including use of cybersecurity
engagements.
Service level agreements (SLAs), including reporting
requirements related to information security protections.
Oversight and data and information security governance

include monitoring the vendors and the key metrics they
report to ensure conformance with the SLAs. Remedies for
deficiencies include asking for timely resolution of concerns,
enforcing penalties, and enforcing the right to audit.
Vendors who do not remediate issues in a timely manner
may need to be replaced.
Piracy and Device Tampering

Software piracy is the illegal copying of software or
distribution of software access to more users than is allowed
in the organization’s contract. Software organizations may
be able to detect illegal use of software remotely or have
their own right-to-audit clauses with the purchasing or
leasing organization. Financial penalties for noncompliance
can be severe. A policy prohibiting piracy is an important
control. Risk-based internal audits may be needed to
provide assurance that software is not being pirated.
Device tampering includes jailbreaking/rooting of smart

devices or other hardware manipulations. It may enable
piracy or installation of apps that contain malware. Device
tampering is dangerous and should also be prohibited by
policy.
Insider Threat Programs

The primary purpose of an insider threat program is to
protect critical assets, which include valuable data, people,
facilities, and systems. Insider threats cannot be completely
eliminated, and trying to do so can be prohibitively
expensive.
Programs to monitor and control insider threats may be part

of the risk universe for internal auditors. Given a risk
assessment, the internal audit activity may plan assurance
engagements to assess the effectiveness of these programs
or consulting engagements to assess insider risks. An
important step is to assess the control environment, since
poor authentication controls and so on can create a
pervasive impact on opportunities for insider threats.
Usually audits will focus on a specific subset of insider
threats, such as hiring practices or management’s methods
to monitor the external and internal environment, rather
than having a full scope.
The steps related to understanding the engagement

context, gathering information, performing a risk
assessment, and communicating results to the board are
discussed next. These steps will be used to establish the
scope, allocate resources (the CAE needs to obtain
competent assistance and advice per Standard 1210.A1),
and plan the engagement.
Understanding the Engagement Context and

Gathering Information
Understanding the engagement context and purpose may
involve determining if changes in the operating
environment, such as mergers or acquisitions, have
introduced new risks to the environment. Information
gathering can include discovery about past fraud
allegations, occurrences, and investigations involving
insiders. It is also important to review related regulatory
compliance requirements. Internal auditors may need to
prepare by studying established security frameworks,
programs, and recommendations. This culminates in a risk
assessment.
An insider threat program should have a process map that

can be reviewed. Components of the program to review
include:
Stakeholders involved and their requirements.
Senior management and board buy-in and oversight,

including governance structure and policy.
Management’s insider threat planning process.
Management’s insider threat risk management process:

How it identifies critical assets.
How it identifies threats.
How it assesses vulnerabilities.
Management’s insider threat operations:

Communications, training, and awareness programs
(which should be improved using feedback loops from
issue resolutions to improve these processes).
Preventive and detective controls.
Data and tool requirements.
Analysis and incident management:
Initial and internal investigations.
Referrals and reporting.
External criminal investigation decisions.
Final actions, management reporting, and feedback and

lessons learned.
Subprocesses may also be reviewed, such as the employee

application, screening, hiring, onboarding, reaccreditation
(changing access privileges when employees shift to new
positions), and termination process for employees. Each
step in such a process will have its own risks and a potential
set of controls. For example, the employee application
process has a risk of hiring employees who are secretly
working for major competitors. Employment history
evaluation and additional screening for sensitive positions
are potential controls.
Risk Assessment
Exhibit 3-27 reviews common insider threats that are
generally based on the use of IT to commit the crimes.
Exhibit 3-27: Insider Threats
Threat Risk Potential Impact
Fraud Identity theft or illegal Financial

use of data for misstatements or
personal gain reputation damage
IT Use of IT to harm Denial of service or
sabotage organization or productivity loss
specific individual
Theft of Industrial espionage Loss of competitive
intellectual involving insiders advantage or revenue
property
Theft or Theft of confidential, Restitution payments
disclosure proprietary, or private to customers or loss of
of data for financial gain customer trust
sensitive
data
Theft of Theft or disclosure of Legal expenses,
personal personally identifiable restitution, or loss of
data information trust; data privacy
noncompliance
penalties
Threat Risk Potential Impact
Illegal Use of digital assets to Financial losses and

activities send spam, gamble, reputation damage
or do other prohibited
activities
Insider Threat Reports and Recommendations

To effectively communicate the risks related to insider
threats to the board, internal auditors must translate audit
findings into terms of financial loss, reputation damage,
operational disruption, and other organizational
performance indicators. Best practices include referring to
existing industry reports and educating the board that only
reasonable assurance of security is possible.
The Global Technology Audit Guide, “Auditing Insider Threat

Programs” cites the CERT® Insider Threat Center’s
“Common Sense Guide to Mitigating Insider Threats, Fifth
Edition,” for a set of best practices or control objectives.
Internal audit activity recommendations may include one or
more of these best practices, as reproduced below,
depending on the results of the engagement:
Know and protect your critical assets.
Develop a formalized insider threat program.
Clearly document and consistently enforce policies and
controls.
Starting at the hiring process, monitor and respond to
suspicious or disruptive behavior.
Anticipate and manage negative issues in the work
environment.
Consider threats from insiders and business partners in
enterprise-wide risk assessments.
Be especially vigilant regarding social media.
Structure management and tasks to minimize
unintentional insider stress and mistakes.
Incorporate malicious and unintentional insider threat
awareness into periodic security training for all
employees.
Implement strict password and account management
policies and practices.
Institute stringent access controls and monitoring policies
for privileged users.
Deploy solutions for monitoring employee actions and
correlating information from multiple data sources.
Monitor and control remote access from all end points,
including mobile devices.
Establish a baseline of normal behavior for both networks
and employees.
Enforce separation of duties and least privilege.
Define explicit security agreements for any cloud servers,
especially access restrictions and monitoring capabilities.
Institutionalize system change controls.
Implement security backup and recovery processes.
Close the doors to unauthorized data exfiltration.
Develop a comprehensive employee termination
procedure.
Topic 5: Cybersecurity Policies

This topic describes organizational policies related to
cybersecurity, information security, and information security
governance.

Global Technology Audit Guide (GTAG), “Assessing
Cybersecurity Risk: Roles of the Three Lines of
Defense”
Cybersecurity Policies
Cybersecurity policies and related training and testing are
designed by IT risk management and IT compliance
functions (second line roles) and administered by IT
operations management roles (first line roles). Internal audit
(third line roles) provides independent ongoing evaluations
of cybersecurity policy effectiveness. Since many
cybersecurity policies are based on cybersecurity
frameworks, a common cybersecurity framework is
presented next.
NIST Cybersecurity Framework

The U.S. National Institute of Standards and Technology
(NIST) Cybersecurity Framework, or CSF, provides a risk-
based iterative approach to the adoption of a vigilant
cybersecurity stance for public and private organizations. It
also includes guidance on self-assessment. The NIST CSF
Framework Core, shown in Exhibit 3-28, includes
cybersecurity activities, desired outcomes, and references
from industry standards, guidelines, and practices. The
Framework Core has five functions, which are further
divided into 23 categories.
Exhibit 3-28: NIST CSF Framework Core

Function Description Categories
Identify Identify and Asset management

communicate Business environment
cybersecurity Governance
objectives and goals. Risk assessment
Develop organizational Risk management
understanding to strategy
manage cybersecurity Supply chain risk
risk to systems, management
assets, data, and
capabilities.
Protect Develop and Identity management
implement the and access control
appropriate Awareness and
safeguards to ensure training
delivery of critical Data security
infrastructure services. Information protection
processes and
procedures
Maintenance
Protective technology
Detect Develop and Anomalies and events
implement the Security continuous
appropriate activities monitoring
to identify the Detection processes
occurrence of a
cybersecurity event.
Function Description Categories
Respond Develop and Response planning

implement the Communications
appropriate activities Analysis
to take action Mitigation
regarding a Improvements
Recover Maintain plans for Recovery planning
resistance and to Improvements
restore capabilities or Communications
services that were
impaired due to a
Source: “Framework for Improving Critical Infrastructure Cybersecurity,” Version

1.0. NIST (National Institute of Standards and Technology), 2014.
Information Security Policies

An effective information security policy should provide
guidelines for preventive and detective controls to address a
variety of information risks. Such risks can include
unauthorized access, disclosure, duplication, modification,
misappropriation, destruction, loss, misuse, and denial of
use. Information security policies guide management, users,
and system designers in making information security
decisions.
The International Organization for Standardization, or ISO,
the world’s largest developer and provider of international
standards, has established guidelines and general principles
for initiating, implementing, maintaining, and improving
information security management within organizations. ISO
provides the 27000 family of standards for the development
of organizational security standards and effective security
management practices and to help build confidence in
interorganizational activities. The ISO 27001 certification
means that the organization will be able to:
Improve enterprise security.
Plan and manage security effectively.
Secure partnerships and e-commerce.
Enhance customer confidence.
Perform accurate and reliable security audits.
Reduce liability.
For internal auditors, a key resource is The IIA’s Global

Technology Audit Guide (GTAG), “Assessing Cybersecurity
Risk: Roles of the Three Lines of Defense.”
To design an information security policy, the organization

should assess its security needs to gain an understanding of
its business needs and security objectives. Common
questions that this assessment should ask include:
What information is considered business-critical?
Who creates that critical information?
Who uses that information?
What would happen if the critical data were to be lost,
stolen, or corrupted?
How long can our business operate without access to this
critical data?
As information crosses multiple lines in an organization, so

too does information security. Therefore, an information
security policy should be coordinated with multiple
departments—including systems development, change
control, disaster recovery, compliance, and human
resources—to ensure consistency. Additionally, an
information security policy should state Internet and email
ethics and access limitations and define the confidentiality
policy. Good policies also need to provide precise
instructions on how to handle security events and escalation
procedures (e.g., how to escalate situations where a risk is
likely exceeding the organization’s risk appetite). One
essential information security policy is to ensure that the
organization’s Three Lines roles also cover information
security roles and responsibilities, as is discussed more
next.
Information Security Objectives

Auditors not only need to understand information security
principles and controls in general; they should also
understand the security needs of the particular facet of the
business where the controls and information security
systems reside. Both are needed to gain a full appreciation
of information security risks and controls.
The overall goal of information security is to maintain the

integrity of information assets and processing and mitigate
and remediate vulnerabilities. COBIT, formerly known as
Control Objectives for Information and Related Technology,
is an internationally accepted framework created by ISACA
that helps enterprises to achieve their objectives for the
governance and management of information technology.
COBIT systems security objectives reflect the breadth and
complexity of the systems security environment:
Manage IT security, as aligned with business
requirements.
Implement an IT security plan that balances
organizational goals and risks and compliance
requirements with the organization’s IT infrastructure and
security culture.
Implement identity management processes to ensure that
all users are identified and have appropriate access rights.
Manage user accounts through appropriate policies and
processes for establishing, modifying, and closing them.
Ensure security testing, surveillance, and monitoring to
achieve a baseline level of system security and to
prevent, identify, and report unusual activity.
Provide sufficient security incident definition to allow
problems to be classified and treated.
Protect security technology by preventing tampering and
ensuring the confidential nature of security system
documentation.
Manage cryptographic keys to ensure their protection
against modification and unauthorized disclosure.
Prevent, detect, and correct malicious software across the
organization in both information systems and technology.
Implement network security to ensure authorized access
and flow of information into and from the enterprise.
Ensure that sensitive data is exchanged only over trusted
paths or through reliable media with adequate controls to
ensure authenticity of content, proof of submission, proof
of receipt, and proof of nonrepudiation of origin.
Systems security is made up of controls general to the
organization and specific to IT and physical security
systems. Because a system is only as strong as its weakest
link, systems security must start with use of a control
framework such as COSO’s Internal Control—Integrated
Framework. Other controls such as proper segregation of
duties are a prerequisite for IT systems security.
Pointing out a deficiency in general or application controls

needs to be put in context by explaining to management
the risk exposure the deficiency is causing. The auditor
should recommend the best system that can address the
control given the particulars of the organization. Continual
monitoring is required for controls to be effective. For
example, a review of a software application for controls
should include the security administration procedures,
password controls, and user role provisioning methods.
When auditing for computer-related fraud, auditors trained

in computer controls should try to think like a thief or a
hacker in determining areas of greatest vulnerability. While
this is not an easy task, it is important to determine what
fraud would “look like” in the particular area under review
so as to design the audit for maximum impact. This involves
considering:
How a system could be exploited.
How the audit trail might be covered up.
What level of authority would be needed to enact the
cover-up.
What explanations could be used if the issue were
detected.
Role of the Three Lines Model in

Cybersecurity
In the Three Lines Model, the first and second line roles for
an organization are management (including its support
functions) and the third is the internal audit activity. First
line management roles deliver products and services to
customers and are responsible for managing risk. Second
line roles provide complementary expertise, support,
monitoring, and challenge to first line roles. Proper board
governance is also vital to the model and forms two of its
six principles:
Governance
Governing body roles
Management and first and second line roles
Third line roles
Third line independence
Creating and protecting value
In terms of cybersecurity, management is accountable for

developing, funding, monitoring, and controlling data
administration, data processes, data risk management, and
data controls. They usually delegate to qualified systems
administrators who recruit and train certified and qualified
staff. Systems administrators need to:
Implement cybersecurity procedures, including training
and testing of these procedures.
Keep all systems up to date and securely configured,
including restriction to least-privilege access roles (i.e.,
not overprivileged).
Use intrusion detection systems.
Conduct penetration testing (simulated attacks such as a
denial-of-service attack) and internal and external scans
for vulnerability management.
Manage and protect network traffic and flow.
Employ data and loss prevention programs, including
encrypting data when feasible.
The first and second line roles that include risk, control, and
compliance functions help assess whether the controls are
functioning adequately and whether they are complete. First
and second line roles need qualified, talented, and certified
individuals who can conduct cyber risk assessments and
gather intelligence on cyber threats. The roles need
adequate policies, including for ongoing training. They may
be involved in helping to:
Design roles to have least-privilege access.
Assess external business relationships.
Plan and test business continuity and disaster recovery.
Internal audit maintains its independence and objectivity in

part so that it can properly function as the third line role. In
the event that the first two lines fail to provide adequate
protection, have an incomplete strategy, or fail to
implement recommended remediation, internal auditors will
be in a position to make these observations to senior
management and/or the board. This might entail evaluating:
Cybersecurity preventive and detective controls for
adequacy and completeness.
The IT assets of privileged users to ensure that they have
standard security configurations and are free from
malware.
External business relationships by conducting cyber risk
assessments.
The following cybersecurity risk assessment framework can
help the internal audit activity ensure that the board and
management are fulfilling their roles with regard to
cybersecurity.
Cybersecurity Risk Assessment Framework

The “Assessing Cybersecurity Risk” Practice Guide presents
a cybersecurity risk assessment framework, as shown in
Exhibit 3-29. Each of the framework’s components are
inderdependent and depend on the effectiveness of the
other components to enable the organization to be fully
prepared to address cybersecurity. Each component is
discussed more next.
Exhibit 3-29: Cybersecurity Risk Assessment Framework

Cybersecurity Governance
Cybersecurity governance is evidenced by clearly defined
policies, relevant tools, sufficient staffing, and insightful
training. Red flags of lack of governance include fragmented
governance structures, incomplete strategy, unnecessary
delays, budget cuts, attrition, or lack of accountability
enforcement.
A cybersecurity governance committee with representatives

from the board, management, and internal audit can be
formed to help:
Establish a culture of cybersecurity risk awareness.
Set a related risk appetite.
Develop cybersecurity business continuity and disaster
recovery plans.
Collect cybersecurity risk intelligence.
Collaborate and share expertise.
Such a committee would also oversee prompt management

responses to security breaches, including root cause
analysis. This committee can help avoid a common pitfall of
management in that emerging threats or vulnerabilities are
not considered proactively. The committee enlists the right
types of expertise, does ongoing research, creates metrics,
and reviews security defense tests.
Inventory of Information Assets

Management is responsible for creating an inventory of
information assets, technology devices, and related
software. This priority-ranked list of information assets can
help determine where to apply stronger controls and where
IT general controls and periodic evaluations should suffice.
The most valuable assets will need preventive and detective
controls that are continually monitored for ongoing
effectiveness.
This inventory will be enhanced if a process map is used or

created to show how the information assets interact. A key
benefit of having an inventory is that it will enable detection
when unknown devices have accessed a network. If these
are the employees’ own devices (used under a bring-your-
own-device policy), they can be authenticated and
inventoried.
An inventory will consider data by type (e.g., transactional,

unstructured), classification (e.g., health data), and storage
environment. A comprehensive inventory will include:
A physical inventory of servers and network, storage, and
end-user devices.
A comprehensive list of all applications.
All third-party-hosted environments and data shared with
external organizations, including regulatory agencies and
vendors.
Standard Security Configurations

Centralized, automated configuration management software
can establish baselines for devices, operating systems, and
software. Standardized configurations are more effective
and easier to use for global updates than a patchwork. Risk
assessments can determine where higher-security
configurations are needed.
Information Access Management

An internal audit activity review of user access can
determine if preventive controls, such as review and
approval of privileges based on a new or transferred job
role, are appropriate and working. An emphasis is placed on
preventive controls for privileged administrative access
because this is a leading indicator of cybersecurity program
effectiveness.
Prompt Response and Remediation
Mature programs continuously shorten the time to
management response. The second line roles communicate
important risks to management, enact remediation, track
issues to resolution, and create trend reports on resolutions.
Ongoing Monitoring
The second line role is expected to implement a monitoring
strategy designed to generate behavioral change.
Successful behavior change can include the following
results.
Users who do critical processes or access sensitive data
are monitored at the access level.
A systematic process to find IT vulnerabilities and
remediate them is developed, including by regularly
scanning systems.
For external-facing systems, first and second line roles
help define and agree on service level agreements (SLAs),
service organization controls (SOCs), and other risk
assessment and oversight programs such as technical
architecture evaluations and compliance monitoring.
The second line roles do announced and unannounced
penetration testing.
A method of ongoing monitoring and remote updating of
smart devices for malware security should be in place.
Topic 6: IT Auditing, SDLC, and

Change Management
This topic starts with an overview of IT objectives. It then
looks at IT auditing and reviews its risks. The topic also
addresses the core activities in the systems development
life cycle (SDLC): requirements definition, design,
developing, testing, debugging, deployment (and delivery),
and maintenance. The topic also helps internal auditors
understand the importance of change controls throughout
the SDLC.

Global Technology Audit Guide (GTAG) 4,
“Management of IT Auditing,” 2nd Edition
Global Technology Audit Guide (GTAG) 8, “Auditing
Application Controls”
Global Technology Audit Guide, “IT Change
Management: Critical for Organizational Success,” 3rd
Edition
Goals of IT
Access to relevant and reliable information is key to
business decision making. Relevance includes timeliness of
information and an appropriate level of detail. Successfully
applied information technology speeds the availability of
information, automates aggregation and sorting of data, and
ensures information accuracy. IT is successfully applied
when the organization is able to use it to:
Fulfill business objectives.
Measure and address risks appropriately.
Grow and adapt fluidly.
Communicate effectively internally and externally.
React quickly to business opportunities as they arise.
Management of IT Auditing
The IIA’s Global Technology Audit Guide (GTAG) 4,
“Management of IT Auditing,” 2nd Edition is summarized in
brief here. Internal audits of IT use the same basic process
as any audit, per Standard 2200 and the steps in the
“Engagement Planning: Establishing Objectives and Scope”
Practice Guide (understand context, gather information,
assess risks, form objectives, establish scope, allocate
resources, and document the plan). Considerations for each
step are provided next.
Understand Context and Gather Information

Engagements)
The internal audit activity must assess whether the
information technology governance of the organization
supports the organization’s strategies and objectives.
Understanding the business context for IT auditing and
identifying the IT portions of the audit universe start by
understanding the organization’s business strategy. IT
strategy, IT processes, and IT projects exist to support and
enable this strategy and therefore should be in alignment
with organizational strategy. The CAE will need to map the
organization’s operations and IT infrastructure to:
Understand the impact of IT on strategy execution as well
as the execution of strategies at business process levels.
Define the boundaries of IT, such as whether or not the
physical security systems or telecommunications systems
are part of IT.
Highlight previously unidentified risks that should be
communicated to senior management and IT
management.
While IT general controls could be centralized,

decentralized, or a mix of the two, cloud computing and
other trends continue to make central control less feasible
as a pure strategy. Thinking about IT risks and controls as a
layered model will help internal auditors better understand
the context for audit priority, risk assessment, and control
evaluation. Exhibit 3-30 shows a generic model of the layers
within IT management.
Exhibit 3-30: IT Management Layers
Key Point

A key point about IT management layers is that the
technical infrastructure layer is harder to understand both
conceptually and in terms of its risk and control
implications than the applications (software) layer. For
example, for procurement:
The three-way match process at the application level is
fairly straightforward to assess for existence and proper
functioning.
However, at the database level, one insider (or hacker)
threat is alteration of bank account routing numbers for
Automated Clearinghouse
A person with (ACH)
the right skills payments.
and access could divert
funds without triggering security, control, and audit
trail mechanisms.
If the bank allows payments to unknown account
numbers, the problem would not be known until the
authorized recipients report not getting the money.
Let’s briefly review each of these layers.
IT management layer. IT management comprises the

set of people, policies, procedures, and processes that
manage IT services and facilities. This layer includes IT
governance, security management, system monitoring,
programming, planning, vendor management, problem
and incident management, change management, IT
project management, and disaster recovery. Audits will
focus on the people and the tasks they perform rather
than the technical details.
External connections layer. External connections to the

Internet (such as for customer account self-management)
have different risks and controls than other external
connections, such as to third-party business partner
networks and cloud services. All communications to and
from external networks should be considered a risk and
should be tightly controlled and monitored based on the
risk level. At a minimum, an inventory of all entry and exit
points needs to be maintained.
Technical infrastructure layer. Various technologies

underlie, support, and enable the primary business
applications, including operating systems, databases,
networks, and data centers (e.g., server rooms). It is
important to understand that technical infrastructure
audits focus on a review of technical configuration
settings in combination with their associated management
processes (such as monitoring of privileged access users).
Applications layer. Applications include transactional

applications (developed in-house, by vendors, or
customized) as well as support applications that facilitate
business but do not process transactions (e.g., email, data
analytics, data warehouses). The bulk of IT audit attention
is on transactional applications, but support applications,
such as those that support external reporting or
manufacturing machinery, could be high risk as well.
Some applications require specialized knowledge for
audits.
Assess Risks, Form Objectives, and Establish

Scope
When assessing risks to determine audit objectives and
scope (both at the audit plan level and for individual
engagements), use of the organization’s normal risk
management framework is a best practice. It is better to use
one consistent approach for all risk types. Due to the fast
pace of IT change, the risk assessment (and audit universe)
will need to be updated regularly.
Similarly, there should not be a separate IT audit universe; it

is part of the overall audit universe. However, there can be
a grouping by audit type to facilitate allocation of specialist
IT resources. The internal audit activity should also leverage
whatever IT control framework the organization has
selected, such as COBIT. This can help enable completeness,
for example, including offshore service providers or
automated business processes. Sharing the audit universe
with relevant business partners is also a best practice.
While specific IT risks are addressed elsewhere, in general,

it is important to assess:
Probability and impact using objective data such as IT
statistics and error logs (e.g., number of incidents).
Subjective data such as interviews with process owners
(especially for difficult-to-measure risks).
Risks with obvious severe negative consequences (like the

loss of a data center) will require a response, so there is no
need to quantify the risk. For less obvious risks, internal
auditors look at the size (e.g., by budget) and business
criticality (e.g., number of business entities the application
supports or will support) of the IT project or underlying
business function.
Allocate Resources

Engagements)
Internal auditors must have sufficient knowledge of key
information technology risks and controls and available
technology-based audit techniques to perform their
assigned work. However, not all internal auditors are
expected to have the expertise of an internal auditor
whose primary responsibility is information technology
auditing.
When developing the audit universe and audit plan

priorities, it is important to call out potential projects that
will require IT staff resources and IT audit specialist skills. A
frequent issue with allocating resources is that audits of a
business area unrelated to IT often still have strong demand
for IT specialist resources simply because so many business
functions are now deeply dependent upon information
systems.
To support Standard 1210, “Proficiency,” it is important for

the CAE to realize that there is a wide variety of IT
competencies and a specialist may be competent in one
area but not in others. For example, the skill set needed to
audit a firewall configuration is vastly different from the set
needed to audit accounts payable configuration database
tables. Training, cosourcing, outsourcing, and recruitment
efforts will need to focus on knowledge gaps or areas high in
demand. Making an overview of the different skill sets that
are needed and then creating an inventory of current skills
will help develop this gap analysis.
Document the Plan

Engagements)
In exercising due professional care, internal auditors
must consider the use of technology-based audit and
other data analysis techniques.
While most of an IT audit engagement plan will be the same

as for any other type of audit, here we focus on some of the
differences:
Some IT domains will be audited exclusively by specialist

IT auditors, but audits of IT-enabled business processes
take a view of the whole value chain and require
collaboration with non-specialist auditors. Which party
leads matters less than collaborating to delivery the
optimal audit result.
If an IT control framework does not exist at the

organization, the CAE should select an appropriate
framework based on best fit. (Perfect fit is not needed.)
Audit testing tools selected should pass a cost-benefit test

and should enable consistency and efficient review of
large populations of data. Such tools are often used by
hackers to probe a system. They include:
Security analysis tools. An important example of such
tools is network analysis tools, which gather information
about a network, validate the accuracy of network
diagrams, identify network devices needing additional
audit attention, and inventory what traffic is permitted
across the network.
Vulnerability assessment tools. This software
automatically checks for known vulnerabilities such as
default passwords or settings. Auditors can plug in a
range for automated search, and the tool creates a
report. Because such tools could impact the integrity of
the systems they are checking, it is important to
coordinate the tests with a security officer (or use the
results of their tests).
Application security analysis tools. Large
applications such as ERP systems often have vendor-
supplied security tools to analyze systems against pre-
configured rules (e.g., vendor “best practices” that may
need to be evaluated to see if they apply) or
segregation of duties.
Plans for reporting to management should take into

account the level of detail that these parties need rather
than burying the actionable information in unnecessary
detail. The focus should be on business risk. In many
cases, the results of individual engagements in specific
areas can be consolidated to highlight the overall process
risks and controls.
Risks Specific to IT
IT and auditing are primarily concerned with information
risk, which includes the risk that inaccurate information is
used to make a business decision. However, widespread use
of IT for all business processes has led internal auditing
away from a focus on assurance regarding historical data at
a specific point in time to assurance about the reliability of
processes. If the process is wrong, the data will be, too, and
vice versa. Therefore, internal auditing can help mitigate
information risk. Note that this does not preclude auditing
transactions to determine the impact on the business.
IT can potentially remove risks from a manual system, but it

introduces its own risks. In addition, because of the nature
of IT activities, these risks may also affect each other.
Physical audit trail replaced by data trail. Many

physical documents are eliminated for audits, and controls
must be used to compensate.
Hardware/software failure. Permanent loss of data,

e.g., from environmental damage, outages, civil
disruption, ransomware, and disasters, is costly.
Systematic errors. IT reduces random errors such as in

data entry, but automated systems can uniformly
duplicate errors, e.g., via faulty code.
Fewer human inputs/less segregation of duties.

Many IT systems reduce labor costs through automation.
Mitigating controls include reviewing segregation of duties
and requiring end users to review their output at a low
enough level of aggregation to catch problems.
Access authorization. Increased ability to access
sensitive information remotely also increases the risk of
unauthorized access.
Automated transaction authorization. Transactions

that formerly required review and authorization, such as
credit decisions, can be entirely regulated by an
application. Authorization assurance rests on software
controls and master file integrity.
Deliberate harmful acts. Outside individuals can cause

significant harm to an organization. Trusted insiders are a
source of significant risk.
IT Auditing Challenges
To identify and assess the control of IT risks properly, an
internal auditor must:
Understand the purpose of an IT control, what type of

control it is, and what it is meant to accomplish, for
example, whether it is preventive or detective.
Appreciate the significance of the control to the

enterprise:
Benefits that accrue through the control (e.g.,
compliance or competitive advantage).
Damage that a weak or nonexistent control can cause.
Identify which individuals or positions are responsible for

performing what tasks.
Balance the risk posed with the requirements of creating a

control.
Implement an appropriate control framework and auditing

plan.
Remain current with methodologies and business

objectives.
Exhibit 3-31 summarizes the challenges internal auditors

must master in conducting IT audits.
Exhibit 3-31: Challenges of IT Auditing
Assessing IT Controls
Assessing IT Controls
Understanding Governance,
IT controls management, technical
General, application
Preventive, detective
Information security
Importance of Reliability and
IT controls effectiveness
Competitive advantage
Legislation and
regulation
Roles and Governance
responsibilities Management
Audit
Risk Risk analysis
Risk response
Baseline controls
Monitoring and Control framework
techniques Frequency
Assessment Methodologies
Audit committee
interface
Source: Practice Guide “Information Technology Risk and Controls,” second

edition.
CAE Role in IT Audits

The CAE is responsible for ensuring a balance between the
enterprise and its IT controls and proper implementation of
a control framework. This involves:
Understanding the organization’s IT control environment.
Being aware of all legal and regulatory requirements.
Assessing whether roles related to IT controls are
appropriate.
Developing and implementing an internal audit activity IT
risk assessment process for annual audit planning. (IT
management should have its own independent risk
assessment process.)
Identifying all internal and external monitoring processes.
Establishing appropriate metrics for control success and
policies for communicating with management.
Communicating IT risks and controls to the board and
management in an understandable way.
Systems Development Life Cycle

(SDLC)
IT systems have a life cycle, from design through
implementation to maintenance. Early systems designs
were left largely to IT specialists. A better approach is team
design. The purpose of team design is to ensure that the
needs of all stakeholders are considered. The steps in the
process are:
Feasibility study.
Request for system design.
High-level design.
Detailed systems design.
Program coding and testing.
Conversion (of old data files).
Implementation.
Maintenance.
The internal audit activity can add value to this process. For
example, during the feasibility study, internal audit can
provide assurance that the team is adequately staffed,
control deficiencies are remedied, the system can
accommodate growth, budgets are reasonable, and users
agree to the change.
The use of a formal or normative model for systems

development helps developers in much the same way that
the use of project management keeps a project progressing
toward its goals while handling problems in an orderly
fashion rather than as emergencies. Internal auditors can
use a normative model to observe where actual practice
differs from expected practice in the model. One such
normative model is the systems development life cycle
(SDLC).
SDLC Steps
A development methodology is a vital tool because it forces
management to be involved rather than relegating IT to
specialists. Requiring a feasibility study, policies, objectives
and standards, and testing forces IT to be treated as a
resource that must be managed. Formal processes help
managers understand how they can be involved. In fact, all
stakeholders for a system should be involved in the formal
process.
Indicators of effective IT controls for systems development

include the ability to execute new system plans within
budget and on time. Resource allocation should be
predictable.
The traditional SDLC is a sequential process, moving

between formal stages, where one step is completed before
the next is begun. In this version of the SDLC, end users are
not involved in the process other than as interviewees and
reviewers of completed work. Systems analysts and
programmers design and build the system. Most
organizations now use a modified SDLC, because they have
found that engaging end users thoroughly from the start
results in a better product that is “owned” by its users.
Another well-established trend is using agile project
management to manage the design, programming, testing,
and conversion and implementation phases of the SDLC.
Exhibit 3-32 shows the SDLC. Each step is described in

detail following the exhibit.
Exhibit 3-32: Systems Development Life Cycle
SDLC: Requirements and Design

Systems Planning
In the systems planning phase of the SDLC, executives and
IT management establish a long-term technology strategy
that measures success by its fulfillment of business strategy.
Capital investments are allocated in accordance with
business priorities. Systems planning is often conducted by
an IT steering committee with members from top
management and IT. While management alone may not be
able to assess if standards are adequate, the committee
should be able to do so collectively. The basic question
asked at this level is “What problems exist, and are they
worth fixing by use of scarce resources?” The committee:
Sets IT policy.
Approves both long- and short-term plans, including a
master plan to schedule resources for all approved IT
projects.
Provides monitoring and oversight.
Assesses the impact of new IT.
Streamlines related business processes.
Systems Analysis
While systems planning is used to identify problems or
challenges that are worth addressing in the design and
development of new systems, systems analysis is used to
point out deficiencies and opportunities in existing IT
systems. Systems analysis could indicate that existing
system modification is more cost-effective than a new
system, or vice versa. The result of systems analysis is a
request for systems design or selection. This is a written
request submitted either to the steering committee (for
large projects) or to IT management (for smaller projects). If
approved, the committee allocates money for a feasibility
study.
Feasibility studies indicate the benefits to be obtained if a

proposed system is purchased, leased as a service, or
developed, including its operational impact. Off-the-shelf
software and outsourced software development are
evaluated against internal development costs and time to
market.
Feasibility studies:
Identify the needs of all related parties—management, IT

professionals, users—and develop metrics for future
assessment (e.g., time frame, functionality, cost).
Analyze the proposed system against:

Needs.
Defined resources (e.g., budget, personnel).
Additional costs and future impacts (e.g., impact on
existing systems/hardware, additional training/staffing).
Technology trends.
Alignment with enterprise strategies and objectives.
Perform cost-benefit analysis.
Identify the best risk-based alternative (e.g., no change, a

new system, reengineering an existing system, buying an
off-the-shelf product, customization, or lease of software).
Feasibility study conclusions should provide the basis for a

go/no go decision. The feasibility study results require
written approval of the committee or IT management.
Internal auditors should be involved here to ensure that
control and auditability requirements are included in the
scope of the project. Specific controls are defined in the next
step.
Systems Design/Selection
Systems design occurs in two phases: high-level design and
detailed design. In between these steps, sometimes
prototyping (rapid creation of an experimental bare-bones
system) is performed. Prototyping makes a functioning
model for users to interact with; they can then suggest
improvements. The prototype may have more than one
revision.
High-level systems design has four steps:

1. Analyze inputs, processing, and outputs of existing or
proposed system.
2. Break down user requirements into specifics, such as
support for a particular inventory valuation method or
costing technique.
3. Define functional specifications to accomplish business
goals, e.g., accounts receivable data updates customer
credit.
4. Compare make-or-buy alternatives, including any needed
configuration or customization.
Flowcharts showing the path of inputs/outputs can help

clarify processing tasks and ensure that user needs are
being met. Structural design can facilitate development by
identifying and organizing sub-processes. At this time, data
files and the database structure must also be considered as
well as how existing files and databases can be converted to
the new system.
If the decision is made to buy a system, systems selection
begins. Assuming approval, a detailed systems design is
created for both internally developed systems and for
purchased software that needs modification. This is a
blueprint including program specifications and layouts for
files, reports, and display screens. Planners flowchart each
process, including the method of implementation and
testing. Specific areas of customization are authorized
(controls need to minimize this), and configuration settings
are determined.
SDLC: Development
Typically organizations purchase off-the-shelf software or a
subscription to a cloud-based software service. Purchased
software should be configured rather than customized due
to cost, time, and licensing considerations as well as the risk
of incompatibility with newer versions of the systems.
Software that is hosted on a cloud-based service is
automatically kept up to date with the latest version.
Customization is not an option for cloud-based software, but
some degree of configuration may be available. Off-the-
shelf and cloud-based systems also incorporate best
practices and well-developed controls and have complete
documentation.
Programmers must get sign-off from superiors at
appropriate milestones. Programmers should follow a
detailed systems road map when writing or reusing code,
debugging code, converting existing data and processes to
the new system, reconfiguring and acquiring hardware as
needed, and training staff. Source code must be protected
during the project by a librarian. Online programming allows
programmers to write and compile code using real data. It
also speeds development time. However, it does introduce
risks that must be controlled:
Creation of multiple versions of programs
Unauthorized access
Overwriting of valid code
SDLC: Testing and Debugging

Testing involves creating a testing plan, collecting or
creating testing scenarios, executing the tests and
managing test conditions, collecting and evaluating
feedback, and reporting the results.
Testing and quality assurance are done in two phases: unit

testing and system testing.
Unit or performance testing keeps the application in
isolation to find internal bugs. (Bugs are errors in software
code that can cause aberrant behavior or worse.) It is
useful to conduct unit testing as early as possible to
prevent errors from affecting ongoing work in other units
(often as a required part of the programming step).
System testing strings together all programs in the
application to find intercommunication bugs.
In addition, the new or acquired system’s operation must be

tested in an interface with all other systems with which data
is transferred. Before implementation, the system faces final
acceptance testing for quality assurance purposes and user
acceptance.
Testing terminology includes the following:

Debugging—checking software for bugs
Load testing—examining a system’s performance when
running under a heavy load (e.g., a large number of
simultaneous users)
Throughput testing—validating that a system can process
transactions within the promised time
Alpha testing—conducted by developers
Beta testing—conducted by users
Pilot testing—a preliminary and focused test of system
function
Regression testing—confirming that revisions have
corrected problems and not introduced new ones and
checking for backward compatibility
Sociability testing (SOCT)—testing the system in its
intended environment, with actual hardware and
resources, while running with competing and collaborating
applications
Security testing—validating the ability to control
vulnerabilities
In some instances, testing may be conducted automatically,

during off-peak use times, thus speeding testing and
development.
Teams not involved in programming deliberately try to make

the system fail. Security applications can be tested by
deliberately trying to hack into the system. Auditors should
make sure that testing is given sufficient resources, time,
and attention. In addition, review of testing results, potential
issues identification, and test result follow-up are vital to
ensure that testing results in practical improvements.
SDLC: Delivery/Deployment
Conversion is the process of migrating any data to the new
system and going “live.” This area is of particular concern to
audits, because errors can be introduced at this point (after
testing) and not detected until they cause material harm.
Errors include incorrectly converting code, truncating fields,
use of the wrong decimal place in calculations, and loss of
records. Manual conversion is physical data entry of old
records and should be avoided if possible. To reduce data
entry errors, hash totals, record counts, and visual
inspections should be used. Both automated and manual
data migration should include a data cleansing step.
Adequate preparation and training of staff and end users

must be planned and implemented as well.
Implementation is turning on the new system. Management

must sign off on the conversion review. Different
implementation approaches can be used.
Big bang or cutover approaches have the entire system go
“live” at the same time.
Phased approaches are implemented by department or
plant.
Pilot approaches implement a test version and run it for a
given period prior to full implementation.
Parallel approaches run the old and new systems
simultaneously for a period, requiring double entry of all
transactions. This safeguards business continuity and
provides independent system verification through
comparison of process totals.
Regardless of the method, internal auditors should ensure

that a backout procedure exists.
User support, such as help desks and documentation, must

be available at the time of implementation.
After implementation, the new/acquired system and project

should be reviewed, using the metrics defined at the
beginning of the project. Attention should focus on whether:
The system has met user requirements (in terms of
resource use and performance).
Specified controls have been created and are adequate.
The development process was conducted in compliance
with policy.
SDLC: Maintenance
Operations and maintenance are ongoing activities that
continue for the life of the software. It is important that
management schedule and communicate the need for
system downtime for routine maintenance.
SDLC Documentation
The change log is only part of the documentation produced
by the SDLC. Large amounts of other documentation and
formal specifications—covering, among other things, the
software, the related business process, security features,
and backup processes—are also produced.
Documentation can be a boon to auditors if it is easy to use,

so it should be clear and concise and follow a structured and
well-communicated methodology.
A risk is that programmers could shirk their documentation

duties, preferring to move on to the next task. Early auditor
involvement and having a designated person review the
documentation as it is submitted can help lower this risk.
Asking developers for personal notes can help fill in some
blanks. Attempting to change a system without
documentation can be made even more difficult if turnover
occurs. Documentation is also a control for preventing fraud,
but it is useful only if all valid changes are recorded.
Another problem with documentation and the traditional

SDLC appears when a long-duration project needs to be
changed due to shifting business requirements, new
technologies, or releases of an application. In this case, the
documentation needs to be updated. Therefore the urge to
fix design flaws discovered later in the process is sometimes
suppressed by freezing the specifications, which could result
in a less-than-useful tool. Agile software development
methods address these risks.
Agile Software Development

The traditional SDLC can create inefficiencies through its
rigidly enforced sequence of events and its assumption that
the requirements for the software can be known or frozen
early in the project. However, software requirements often
cannot be known until significant development work has
occurred. The customer often also identifies new
requirements even late in development that would be key to
Agile is an umbrella term for a number of project

management methodologies for software engineering or
other projects that have high requirements and scope
uncertainty even late in the project and so need to enable
frequent changes in a cost-effective manner. Examples
include Scrum, the Kanban method, and eXtreme
Programming.
Agile uses both increments and iterations:

Increments create a new/improved system release by
release. A release is a relatively self-contained portion of
functionality released into production as soon as it is
“done.” The definition of “done” includes the programmer
doing all testing and quality steps.
Iterations are a series of very short SDLC cycles. Each
cycle, or iteration, has its own requirements definition,
design, planning, development, testing, and feedback
steps. Typical iteration durations are one to six weeks, and
many methods have fixed-duration iterations with regular
meetings, including brief daily meetings called standups
and a meeting called a retrospective for continuous
improvement. This allows new requirements to be
incorporated quickly and with much lower risk of
replanning or rework.
Here are a few other qualities of agile development:

An agile role is the scrum master, who is like a project
manager but is an expert in the chosen agile methodology
and helps enforce its use. The scrum master is more of an
enabler (removes obstacles) and a coach, since
collaboration is extremely important in agile and team
members take the lead whenever they have the most
expertise.
The customer (called the product owner) needs to be
involved on a daily basis and serves as the change control
owner. The product owner attends all meetings with the
software developers and helps set or change priorities.
Change control is less formal and more collegiate. The
product owner meets with the other stakeholders and
represents their interests. In this way, use of the agile
methodology can significantly reduce the risk that a
project will be outdated before it is finished.
While documentation is still necessary, its importance is
reduced. The primary measure of success is working
software.
Many programmers employ reusable code to speed
development.
The team uses a Kanban board, which is a physical space
like a whiteboard or software that empowers team
members to pick what they want to work on next from a
continually updated, reprioritized list of tasks and their
current status. It ensures that the current work is done
before new work is started.
Auditing Agile Projects

Audits of agile methods tend to be more difficult than audits
of traditional methodologies, in part because agile is
designed to embrace uncertainty and in part because its
speed means that changes happen quickly. For example,
even when properly implemented, agile methods de-
emphasize documentation in priority, and poor
documentation can weaken an audit trail.
A thorough use of the chosen methodology can reduce risks

of failure. If the product owner fails to be involved on a daily
basis, information may have been missed, and the system
may function but not provide the right functions for business
needs. Gold plating (programmers adding unasked-for
features) or scope creep (stakeholders adding unnecessary
requirements) can also occur if the product owner is
ineffective at change management.
Risks related to emphasis on speed include that the system

could have poor scalability if a minimum viable product (the
smallest-scope first release) is chosen that takes shortcuts
or prioritizes easier releases and pushes the difficult ones
back. If an agile project starts running out of budget or
schedule, some high-priority releases may not yet be done.
Web Services and SOA

In addition to there being many ways to customize how
software projects are managed, software development
sometimes transcends the traditional boundaries of stand-
alone application development. One form this takes is web
services along with service-oriented architecture.
Web services use open Internet protocols and standards to

create stand-alone, modular software services that are
capable of describing themselves and integrating with other
similar services. Web services work independent of
platform, operating system, or computer language, and the
offerings of other providers can be leveraged without any
middleware.
Web services can work with traditional applications by

creating a universal wrapper around the message content.
They speed software development efforts because common
services such as a credit check tool can be found on a
registry server. Web services are especially good for making
automated or one-time connections with business partners.
A service-oriented architecture (SOA) is a software

system design that allows for sharing of web services as
needed. A service consumer sends out requests for services
to service providers, which either provide the service or
forward the request. SOA has an architecture goal of loose
coupling, which means that the data is separated from the
application and each service says what it needs another
service to do, not how to do it. Advantages include the
ability for remote users to access ERP systems using mobile
devices and for various applications to work together to
synthesize data into information faster. In addition,
developers have easier and faster upgrades.
What does this all mean for internal auditors? Despite the
many advantages of this set-up, control issues abound.
Internal governance models that were created for traditional
software will need to be reengineered. This is especially true
if the organization must comply with the rules of Section
404 of the U.S. Sarbanes-Oxley Act or an international
equivalent on internal controls. The openness of SOA
creates new risks to internal controls.
For example, in a traditional IT system, there would be

barriers between the sales, credit, and billing modules that
rely on logical access controls and role-based access.
Customers would be assigned a customer role and a
temporary unique ID. Their access would be restricted, and
moving further would require knowledge of the proprietary
interface that resides between the Internet portal and the
rest of the ERP system. Customers could create a purchase
but not change their credit.
In SOA architecture, all modules such as sales, credit, billing,

and the general ledger are web services connected to the
web. The system would still have a firewall and other
protections, but the SOA would be like a trunk line to which
each set of modules and databases is connected. The entire
ERP system would become a web service. Now the
customer’s ERP system gets approval for and establishes a
direct link to the organization’s ERP system. The two parties
can automate their trading. Therefore, some of the
segregation of duties will be missing. A compensating
control is to designate the system making the interface as a
user with its own role-based access. The ID of the user
commanding that “user” also needs to be mapped to prove
compliance with controls (e.g., nonrepudiation,
authentication, segregation of duties).
In the worst-case scenario, an organization with this set-up

could allow the SOA modules, such as the general ledger, to
communicate over port 80, an open channel that bypasses
the firewall. Any service anywhere could then modify the
general ledger.
Auditors may need to seek external assurance that the SOA

system can do either of the following:
Authenticate the external system, the system user, and
the user’s role or deny all service.
Place greater emphasis on application-level controls than
with a traditional set-up.
General audit recommendations include implementing SOA

in stages, starting with nonfinancial business functions. The
organization can then assess risks and controls.
IT Change Management
The Global Technology Audit Guide, “IT Change
Management: Critical for Organizational Success,” 3rd
Edition, defines change management broadly as “the
technology changes that affect an organization’s systems,
programs, or applications.”
Change management is an integral part of the

organization’s IT general controls (ITGCs). Change
management is no longer just an IT management
responsibility:
The entire senior management team is accountable for
managing change risks.
The board is responsible for holding management
accountable.
The internal audit activity leverages its independence,
objectivity, and holistic view of processes to help senior
management and the board recognize the importance of
IT change management, provide assurance, and help
improve programs.
Importance of Change Management

Changes in the IT environment may be frequent and
significant. Change controls can keep numerous noncritical
changes from resulting in lost productivity and blown
budgets while allowing for necessary changes and problem
escalation in emergencies. Change control can also prevent
implementation of unauthorized changes. Changes might be
unauthorized because they:
Are not in the scope of currently planned work.
Require thorough design, planning, and testing before
being included in updates.
Require a technical review as part of an internal control
step (e.g., to detect whether changes provide system
backdoors or other opportunities for programmer
malfeasance.
The internal auditor should look for adequate change

controls, including governance and security controls, audit
trails, quality assurance, provision for emergency changes,
source controls, and tracking. Changes must be approved by
management, follow development standards, and be tested.
The change controls should follow the organization’s or
project’s chosen methodology. The process and results
should be predictable, defined, and repeatable. In addition,
change control involves maintaining thorough
documentation in a change log.
Types of Change Management

Change management includes application code revisions;
system upgrades; infrastructure changes such as changes
to servers, routers, cabling, or firewalls; and security
patches/updates. Security patches/updates have significant
risks and so are discussed more next.
Security patches/updates, also called patch management,

are updates to applications that are already in production.
They involve installing a patch—a bundled set of fixes to a
software’s code to eliminate bugs or security vulnerabilities.
Patches should be handled as their own category.
High-performing organizations perform far fewer patches

than low-performing organizations. Organizations with poor
change management controls have low success for IT
changes due to project delays or scope creep. They suffer
from unexpected outages and may frequently be in crisis
mode, with many emergency or unauthorized changes.
Constant crisis creates stress and turnover for IT staff,
shows lack of control over escalation, and heightens risks
that a change will have unintended consequences. If IT staff
has no time for new projects, deteriorating service results.
If a change results in downtime or, even worse, a material

error in system data (such as in financial reporting data), it
could carry a higher risk of loss than even that of a system
attack. When a possible patch or change comes up, IT staff
and management should perform triage, sorting out the true
emergency situations. Criteria should be based on business
need and the relative risk of waiting. Changes to security
controls or to make a system resume functioning are high-
priority.
To make the change management process cost-effective,
multiple changes are bundled for release on a regular basis
(e.g., monthly); these are called blanket changes.
The organization should test planned changes using a

robust testing plan with a specific movement of changes
from environment to environment, called migration. The
purpose is to determine if there will be unintended
consequences of installing a patch or making another
change. Orchestration change tools are used to promote
code between environments and deploy patches. An
example of a series of environments for IT change migration
follows.
Development (DEV). The code under development
resides in this environment. Code that has been created
and unit-tested is incorporated here.
Testing (TEST). System testing occurs in a sandbox
environment, which is a copy of the system that is not the
production environment (the live version).
User acceptance testing (UAT). This sandbox
environment uses the full amount of user traffic and data.
Production (PROD). This is the live production
environment for end users. Production changes should be
performed in off-hours.
While the organization can prepare a software update and
should notify users of important vulnerability fixes, it may
be up to the end users to install patches, and failure to do
so could leave them vulnerable. In other cases, software
vendors can “push” changes automatically without requiring
end-user intervention (called automation “bot-driven”
changes), but the end user may need to opt in to such
programs. Cloud software, on the other hand, is updated for
all users simultaneously, since the software is not on end-
user systems.
Change Management Process Steps

The “IT Change Management” Global Technology Audit
Guide lists the following change management process steps:
1. Identify the need for change.
2. Prepare. Document the step-by-step procedure for the
change request, the change test plan, and a change
rollback plan.
3. Justify the change and request approval. Determine the
impact and cost-benefit; review associated risks and
regulatory impact. The organization may use ticketing
systems for reporting and managing bugs.
4. Request approvals.
5. Authorization. The change approval board rejects,
approves, or requests more information. Set priorities
relative to the overall schedule.
6. Schedule and coordinate change. Schedule a change
implementer and a change tester, test in preproduction,
communicate to affected parties, get final approval, and
implement change.
7. Test in appropriate environment(s).
8. Implement change.
9. Verify/validate change. Back out change if unsuccessful.
0. Close change request and report to stakeholders.
Document the final changes that were made. Measure
change success, use of process, variances, and regulatory
compliance. Report lessons learned. Revisit the change
management process for improvement.
Change Management Risks

Exhibit 3-33 reviews some examples of change
management risks.
Exhibit 3-33: Change Management Risks
General risks Patch-related risks

Business objective failure Poor documentation
Unauthorized or unrecorded Small configuration change
changes with big impact
Downtime or slowdowns Poor timing of pushes that
Security issues leaves end users
Inefficiencies, unprepared
inconsistencies, or financial Poor change success rate
misstatements Cybersecurity
Disgruntled staff or vulnerabilities if changes
customers are not made, are delayed,
Failure to analyze threats or or are not fully
use change approval implemented by end users
process
Emerging risks Third-party and
Advanced systems that compliance risks
create new risk categories Vendor reports needed for
Cloud third-party risk compliance, but no
impact on support guarantee that controls are
infrastructure effective
Mobile and bring-your-own- Poorly determined division
device (BYOD) changes of controls between parties
made by organization Lack of patch and patch
versus by end user that notification clauses in
create inconsistency contracts
End-user computing (e.g., New or expanded
open source) that makes it regulations improperly
hard to design controls; change-controlled
lack of organizational time Poor change documentation
invested that makes it that makes it hard to affirm
seem like lower audit internal controls over
priority than it is
financial reporting (ICFR) or
data privacy compliance
Controls for IT Change Management

IT change management starts with proper IT governance.
Top management needs to set the proper tone. Segregation
of duties and change authorization are key controls.
Complex production environments require more controls.

Adherence to development methodologies such as the
systems development life cycle is critical. Routine
maintenance changes are easier to audit, because their
results can be objectively determined and management
override risk is low. More scrutiny is needed for software-
based controls that detect when controls are being
overridden due to higher risk of management override and
the need for auditors to subjectively judge their
effectiveness. Software applications also have detective
controls to verify production changes against authorizations.
Other supervisory controls include the following:
Software development should report to a high enough
level of management to keep department heads from
improperly scheduling low-priority projects.
During outages, controls can be used to enable
authorizations and changes to be made quickly to reduce
repair time.
Preventive controls include enforcing change and patch
management policies and having key stakeholders assess
change risks.
Detective controls include measuring and correcting poor
performance, such as by measuring the mean time to
repair.
Exhibit 3-34 summarizes some risks, controls, and related

metrics for IT change management.
Exhibit 3-34: Metrics for Determining IT Change

Management Success
Risk Control Metric
Unauthorized Policy for zero Number of unplanned

changes unplanned changes
changes Number of unplanned
Proactive outages
management Number of changes
Detective authorized
software Number of changes
implemented
Risk Control Metric
Changes fail Change Greater than x%

to be management change success rate
implemented process (High-performing
or are late organizations are near
100% and investigate
all deviations.)
New work created by
change
Unplanned Triage Less than x% of work is
work Planned changes unplanned (e.g., 5% or
displaces bundled less)
planned Patches treated Percentage of time on
work as a normal unplanned work
process to expect Percentage of projects
delivered late
Percentage of patches
installed in a planned
software release
Source: Global Technology Audit Guide, “IT Change Management: Critical for
Organizational Success,” 3rd Edition.
Another control is a system librarian, an IT role that provides

control over original documentation and maintains and
controls the change logs that show how the software has
changed at each version. This practice helps track down the
root causes of issues and facilitates software rollbacks to
prior versions as needed. Even if a librarian position does
not exist, the organization will likely have a code repository,
which is a securely located repository that requires
programmers to check out code they will work on.
Topic 7: IT Controls and Control

Frameworks
This topic describes some IT control objectives and places IT
controls in a system of classification, and it then helps
internal auditors recognize the purpose and applications of
basic IT controls and IT control frameworks such as COBIT,
ISO 27000, and ITIL.

Basic IT Controls
Key Point

A key concept is that IT controls must provide continuous
assurance for internal controls. A related concept is that
auditors must provide independent assurance of this
coverage.
Effective IT controls provide continuous assurance

supported by a reliable and continuous trail of evidence. In
addition, this assurance is itself assured through the internal
auditor’s independent and objective assessment of the
control. According to the Global Technology Audit Guide
(GTAG) 1, “Information Technology Risk and Controls,” 2nd
Edition, the goals of the IT controls and the control
framework are to provide and document:
Compliance with applicable regulations and legislation.
Consistency with the enterprise’s business objectives.
Continuity with management’s governance policies and
risk appetite.
IT Control Objectives
IT internal control objectives include:
Protecting assets/resources/owners’ equity.
Ensuring that information is available, reliable, and
appropriately restricted.
Holding users accountable for functions performed.
Protecting customer privacy and identity.
Providing support and evidence of employee job
performance. (Employees can prove that they did the
right things.)
Maintaining data and system authenticity and integrity.
Assuring management that automated processes are
controlled.
Providing an audit trail for all automated and user-initiated
transactions.
Exhibit 3-35 lists some indicators of effective IT controls.
Exhibit 3-35: Indicators of Effective IT Controls
Ability to execute and plan Clear communication to

new work (e.g., IT management of key
infrastructure upgrades to indicators of effective IT
support new control
products/services) Ability to protect against
Projects that come in on new threats and
time and within budget, vulnerabilities and to
saving the organization recover from disruptions
time and resources and quickly and efficiently
improving its competitive Efficient use of a customer
position support center or help desk
Ability to allocate resources Heightened security
predictably awareness throughout the
Consistent availability of organization
reliable information and IT
services across the
organization and with
customers, partners, and
external interfaces
Source: Global Technology Audit Guide (GTAG) 1, “Information Technology Risk

and Controls,” 2nd Edition.
Control Classification
The hierarchy of IT controls in Exhibit 3-36 is discussed next.
Note that systems software controls and application-based
controls were discussed in more detail elsewhere.
Exhibit 3-36: Hierarchy of IT Controls

Policies are IT governance controls. Governance

controls are oversight rather than performance controls
that rest with the board of directors and their committees,
such as the audit committee, in consultation with
executives.
Policy examples include security policies about the use of

IT throughout the organization, data privacy, ownership,
level of autonomy to create and use applications, and
measures to assure business continuity. Policies must be
approved by management (and the board of directors, as
appropriate) and communicated throughout the
organization to set the “tone at the top” and expectations.
Policies need to be monitored and evaluated using
metrics.
An organization may have a technology steering

committee consisting of IT, key business functions, and
internal audit. The committee prioritizes user technology
requests given limited resources.
Management controls occupy the next three levels.

They focus on identifying, prioritizing, and mitigating risks
to the organization, its processes and operations, its
assets, and its sensitive data. Such controls have a broad
reach over many organizational areas, requiring
collaboration between executives and the board. They
include:
Standards for systems development processes (both
those developed internally and those acquired from
vendors), systems software configuration, and
applications controls, data structures, and
documentation.
Organization and management of lines of responsibility
and reporting, incorporating separation of duties as
appropriate, financial controls for IT investment, IT
change management, and personnel controls.
Physical and environmental controls to mitigate risks
from hazards such as fire or unauthorized access.
Technical controls form the remaining three levels and

are the foundation of almost all other organizational IT
controls. Technical controls are the specific controls that
must be in place for management and governance
controls to be effective. Automated technical controls
implement and demonstrate compliance with policies.
Technical controls include:
Systems software controls such as those controlling
access rights, enforcing segregation of duties, detecting
and preventing intrusion, implementing encryption, and
managing change.
Systems development controls such as documentation
of user requirements and confirmation that they have
been met, a formal development process that
incorporates testing, and proper maintenance.
Application-based controls that ensure that all input
data is accurate, complete, authorized, and correct and
is processed as intended; all stored and output data is
accurate and complete; and all data processes are
tracked from input, through storage, to eventual output.
Controls may be classified in other ways, for example,
according to the way they are viewed throughout the
organization. Exhibit 3-37 classifies controls by different
perspectives.
Exhibit 3-37: Control Classifications

Since governance, management, and technical controls

were addressed above, the other two sides of the cube are
addressed in relation to IT next.
IT general controls (ITGC) and application controls

An IT general control (ITGC) applies generally to the IT
environment or the overall mix of systems, networks,
data, people, and processes (the IT infrastructure). The
use of an IT control framework requires implementing a
general control framework such as the COSO Internal
Control—Integrated Framework.
An application control is related to the specific
functioning (inputs, processing, outputs) of an
application system that supports a specific business
process. Balancing of process totals is an example.
Preventive controls, detective controls, and

corrective controls
Preventive controls are designed to stop fraud or errors
before they occur. Examples include a firewall, a drop-
down menu, or assigning access privileges by job role.
Detective controls are triggered after an error (an
exception condition) occurs, e.g., automated flagging of
inactive users or review of exception reports for
completed transactions to detect credit limit overrides.
Corrective controls are used once errors, fraud, or other
control issues have been detected. They need their own
preventive and detective controls to ensure that the
process isn’t corrupted. Corrective controls range from
automated error corrections to business continuity
plans.
IT Control Frameworks
According to “Information Technology Risks and Controls,” a
control framework is an outline that identifies the need
for controls but does not depict how they are applied.
Control frameworks help determine the appropriate level of
IT controls within the overall organizational controls and
ensure the effectiveness of those controls. IT control
frameworks are internal control systems that help
managers:
Set IT control objectives.
Link IT to business processes and overall control
frameworks.
Identify key IT areas to leverage.
Create a process model that logically groups IT processes.
Why are control frameworks needed?

Managers need assurance that their IT processes are
contributing to business objectives and competitive
advantage.
The organization needs assurance that it is resilient
because it can mitigate risks of fraud or cyber attacks.
Stakeholders need to know that the organization can be
trusted.
One way to gain such assurance is for management to
increase its understanding of IT operations without getting
bogged down in the increasingly complex execution details.
Breaking systems down into understandable processes
helps managers combine business with IT strategy, align
organizational structures, and set performance goals and
metrics.
Control frameworks provide a methodology for seamlessly

linking objectives to requirements and requirements to
actual performance. A process model breaks IT down into
easy-to-understand activities organized around the control
objectives to be achieved and identifies resources to be
leveraged. Control frameworks provide a foundational
structure upon which effective regulatory compliance can be
reasonably addressed and assured, such as for the U.S.
Health Insurance Portability and Accountability Act [HIPAA]).
Use of standardized, well-accepted frameworks means that

there is a body of literature available for guidance and that
users can benchmark against the standards or against
competitors using similar methods. The framework should
clearly communicate specific IT control roles—IT controls
need to be everyone’s responsibility. IT controls can provide
“defense in depth,” meaning that guidance on setting up
multiple layers of controls reduces the likelihood of a control
failure.
Selecting an IT Control Framework

Selecting an IT control framework involves deciding which
model will benefit the entire organization, since the model
will be used by a large number of employees with control
responsibilities. Frameworks are generalized for broad use,
but no framework encompasses all business types or all IT.
The expectation is that they should be tailored to the need.
The CAE can assist with this process.
Control frameworks can be formal, or they can be informal,

meaning that they are not written down but are
communicated verbally and through action. Such systems
are not appropriate once an organization has moved past
the earliest stages of maturity. Satisfying regulatory
requirements requires the use of formal approaches.
Properly understanding risks is a prerequisite for selecting a

control framework. The CAE should determine the
organization’s risk appetite, defined in the IPPF glossary as
“the degree of risk that an organization is willing to accept.”
IIA Practice Guides
The IIA’s Practice Guides (formerly GTAGs®) can help in
selecting the proper framework for an organization. The
Technology Risk and Controls,” 2nd Edition, covers IT
controls as an executive needs to understand them,
including organizational roles and structure and how the IT
controls fit within the overall control framework. The other
GTAG documents cover specifics such as IT change
management. These guides contain advice for set-up,
management, and measurement of application-level
controls.
The GTAG documents can be used to create a unique

framework or to supplement an existing one. One example
of a tool that can be used to plan for sufficient audit
coverage is the CAE checklist shown in Exhibit 3-38.
Studying the questions CAEs should raise for each of the
actions listed shows how a general risk-based framework
would be customized for each organization.
Exhibit 3-38: IT Control Framework Checklist
COBIT® Model for IT

COBIT®, formerly known as Control Objectives for
Information and Related Technology, is an internationally
accepted framework created by ISACA. ISACA helps
enterprises to achieve their objectives for the governance
and management of IT. The current version of the
framework, COBIT 2019, helps:
Users be more satisfied with IT security and outcomes.
Management understand the role of IT and its place in
organizational strategy.
Management create more value from IT resources, meet
regulatory compliance, and control IT risks by providing
better risk awareness to enable informed risk decisions.
COBIT sets clear lines of responsibility.
The framework can be adapted for use by any size or type

of organization to set and achieve separate governance and
management objectives for its information systems.
The COBIT 2019 framework includes the following

interrelated elements:
Governance system components (seven of these)
Governance framework principles (three of these) and
governance system principles (six of these)
Governance and management objectives (40 of these)
Components
The components are the aspects or functions of the
organization that are needed individually and collectively to
create and sustain a governance system. Generally self-
explanatory, they are as follows:
Processes
Organizational structures
Principles, policies, and frameworks
Information
Culture, ethics, and behavior
People, skills, and competencies
Services, infrastructure, and applications
Principles
Exhibit 3-39 illustrates the three principles for a governance
framework and six principles for a governance system that
form the COBIT 2019 framework. Each set of principles is
explained next.
Exhibit 3-39: COBIT’s Governance System Principles and
Framework Principles
Source: Adapted from “COBIT 2019 Framework: Introduction and Methodology,”

© 2018 ISACA. All rights reserved. Used with permission.
COBIT 2019 governance framework principles are as follows:

Framework Principle 1: Based on conceptual model.
A governance framework (such as COBIT 2019) should be
based on a conceptual model that clearly calls out the
relationships between its elements so that persons will
use the model consistently and the model is capable of
being automated in software systems.
Framework Principle 2: Open and flexible. A
governance framework should be able to be extended
with new content without harming the model’s integrity or
consistency. This enables the framework to flexibly
address innovations, emerging risks, and so on.
Framework Principle 3: Aligned to major standards.
A governance framework should be compatible with major
regulations, other frameworks, or relevant government or
industry standards.
COBIT 2019 governance system principles are as follows:
System Principle 1: Provide stakeholder value.

Stakeholder needs drive value creation. Since the
objective of governance is the creation of value in an
organization, governance must define value creation as
the realization of the benefits expected by stakeholders
while optimizing the use of resources and the
management of risks.
The needs of stakeholders often conflict, such as

shareholders’ need for profit versus regulators’ or
society’s need for environmental sustainability. Therefore,
the COBIT 2019 framework promotes governance as a
process of negotiating among stakeholders’ value
interests and then deciding how to create optimum value
for stakeholders overall.
Since this is a generic framework, what constitutes value

for stakeholders may differ considerably, such as between
for-profit and not-for-profit organizations. To help
organizations define value based on customized
stakeholder needs, the COBIT 2019 framework includes a
goals cascade:
The cascade starts with stakeholder drivers and needs,
which direct the selection of enterprise goals.
Enterprise goals direct the selection of alignment goals.
(Alignment goals are broad IT efforts that help IT align
with business objectives.)
Alignment goals direct the selection of governance and
management objectives.
The goals cascade is basically a set of tables that starts

with a set of 13 generic enterprise goals. For example,
one goal is a “portfolio of competitive products and
services.” Organizations use the knowledge of their
stakeholders’ drivers and needs to select from among
these generic goals. The enterprise goals then cascade
down to 13 IT-related alignment goals, for example,
“knowledge, expertise, and initiatives for business
innovation.” These in turn cascade down to the set of
governance and management objectives (addressed
later). The point is to translate stakeholder needs and the
derived governance goals into priority-weighted IT goals
and from there to easily implementable processes,
policies, and procedures.
System Principle 2: Holistic approach. The seven

components listed previously are used to implement each
goal determined using the goals cascade. While each
component (e.g., organizational structures) may differ
considerably between organizations, the set of
components as a whole needs to work together.
The processes, organizational structures, and culture,
ethics, and behavior principles are governance-directed
management organizing activities that help ensure
successful adoption of the principles, policies, and
frameworks. (Governance direction over culture, ethics,
and behavior is critical to achieving goals. The influence
of these three factors is often underestimated.)
The principles, policies, and frameworks component
provides practical guidance on how to shape desired
behavior by doing specific management activities.
The remaining components of information; services,
infrastructure, and applications; and people, skills, and
competencies are resource management components.
These components rely on one another to succeed. For
example, processes need proper information, skills, and
behavior to make them effective and efficient.
System Principle 3: Dynamic governance system.

When the organization changes technologies or IT
strategies, it is important that the IT governance system
consider the impact of these changes and adapt itself to
remain useful.
System Principle 4: Governance distinct from

management. The board needs to see itself as a
discipline separate from the management of an
organization. The COBIT 2019 framework’s governance
and management objectives clearly distinguish between
governance objectives and management objectives.
System Principle 5: Tailored to enterprise needs.

Tailoring is adapting a framework to an organization’s
unique needs. The framework contains a set of design
factors to help customize it and to determine which
governance system components to prioritize or customize.
An example of a design factor is to create an enterprise
information and technology risk profile. Each design factor
contains some useful aids, for example, a set of IT risk
categories.
System Principle 6: End-to-end governance system.

The end-to-end principle is that IT governance must be
wholly and completely part of the organization’s overall
governance and internal control framework.
The COBIT 2019 framework integrates the most current

governance models and concepts. It also applies to
processes that have been outsourced or are part of an
extended enterprise of partners in a supply chain.
Because the seven components listed earlier are
organization-wide in scope, focusing on each of these
components allows governance to be end-to-end.
The last part of this principle involves defining governance

roles as well as their relationships and activities. Owners
or shareholders delegate to a governing body such as the
board, which sets the direction for management, which
provides instructions to operations so that it aligns to
stakeholder goals. Each relationship also includes a
feedback process of reporting, monitoring, and
accountability.
Governance and Management Objectives

There are five governance objectives. Governance
objectives are all in the same domain:
Evaluate, direct, and monitor. Governance objectives
include ensuring that the governance framework is in
place and maintained, stakeholder benefits are delivered,
risk responses are optimized, resource use is optimized,
and stakeholders remain engaged.
There are 35 management objectives. Management

objectives are divided into the following domains that reflect
a cyclical set of management roles:
Align, plan, and organize. Processes include managing
strategy, enterprise architecture, innovation, the portfolio
of IT systems, risk, security, HR, and relationships.
Build, acquire, and implement. Processes include IT
program management, change management, defining
requirements, identifying and building solutions, and
managing configuration, knowledge, and assets.
Deliver, service, and support. Processes include
managing operations, incidents and problems, continuity,
security, and process controls.
Monitor, evaluate, and assess. Processes include
monitoring and managing performance and conformance,
the system of internal control, compliance with external
requirements, and assurance.
ISO 27000 IT Control Framework

The ISO 27000 series of standards is related to information
security management systems (ISMS). An ISMS is a
systematic framework for ensuring that sensitive
organizational information remains secure. The series
applies a risk management process to information security.
ISO 27001:2013:
Sets requirements for an ISMS to ensure that the system

is appropriate for the context of the organization, meets
stakeholder needs and expectations, and is scoped,
documented, communicated, and maintained
appropriately.
Provides a code of practice for information security

controls to help organizations select and implement those
that are relevant to them and also develop customized
information security management guidelines.
Has a section on leadership and commitment to ensure
that objectives trace to the strategy, ISMS requirements
are integrated into policy and processes, the ISMS is
competently resourced, and the system is monitored and
controlled using appropriate metrics to:
Achieve information security objectives.
Mitigate or prevent undesired effects based on a formal
risk assessment process with a consistent set of criteria
for comparability among results.
Continually improve.
Includes control objectives, individual controls, and

security control clauses in the areas of:
Information security policies (gives management
direction and support).
Organizational structure (a framework for implementing
and controlling information security, including roles,
responsibilities, segregation of duties, etc.).
Mobile devices and remote workers (to ensure security).
HR security (screening, learning responsibilities,
training, at termination, etc.).
Asset management (inventories of assets, acceptable
use, return at termination, how to classify information
types, how to control access and changes to media,
etc.).
Access control (similar to earlier discussion of identity
and access management).
Cryptography (policies on encryption and storage of
keys).
Physical and environmental security (from perimeter
security down to how to work in secure areas, plus
equipment security controls).
Operations security (operating procedures, change
management capacity management, malware
protection, backups, audit trails, etc.).
Communication security (networks, information
transmittal, etc.).
System acquisition, development, and maintenance
(information system security requirements,
development and support process controls, test data
protection, etc.).
Supplier relationships (monitoring and managing
supplier services and related changes).
Incident management (management of incidents and
communications on security events and vulnerabilities).
Business continuity management. (Information security
is an embedded component of such a system.)
Compliance (regulations related to contracts,
intellectual property, document retention, etc.).
The standard requires both management reviews and

internal audits at planned intervals to ensure conformance
to related organizational requirements and the requirements
of ISO 27001. There are numerous other standards in this
family that relate to specialized areas such as ISMS auditing
(ISO 27007), network security, application security, and so
on.
ITIL IT Control Framework

ITIL 2011 is a five-tiered certification. Formerly called the IT
Infrastructure Library, ITIL is a framework for management
of IT as a portfolio of outsourced services using service level
agreements (SLAs) and ongoing processes for monitoring
and controlling availability, capacity, configurations, issues
or problems, patches, change management, and so on. It
addresses the concept and life cycle of IT service
management, from service strategy and design to
operations and continuous improvement.
Bibliography
The following references were used in the development of
Part 3 of The IIA’s CIA Challenge Exam Study Guide. Please
note that all website references were valid as of April 2020.
Accounting Standards Update No. 2016-02, “Leases (Topic
842).” FASB,
www.fasb.org/jsp/FASB/Document_C/DocumentPage?
cid=1176167901010&acceptedDisclaimer=true, February
2016.
“All about Ransomware.” Malwarebytes,

www.malwarebytes.com/ransomware/.
American Institute of Certified Public Accountants (AICPA).

“AU-C Section 240, Consideration of Fraud in a Financial
Statement Audit.”
www.aicpa.org/research/standards/auditattest/downloadable
documents/au-c-00240.pdf, 2017.
“Assessing Cybersecurity Risk: Roles of the Three Lines of

Defense” (Global Technology Audit Guide [GTAG]).
Altamonte Springs, Florida: The Institute of Internal
Auditors, 2016.
“Auditing Insider Threat Programs” (Global Technology Audit

Guide [GTAG]). Lake Mary, Florida: The Institute of Internal
Auditors, 2018.
Babeni, Sadissa. “Most Popular Databases in 2020: Here’s

How They Stack Up.” ormuco.com/blog/most-popular-
databases, January 24, 2020.
BS ISO/IEC 27001:2013. “Information Technology—Security
Techniques—Information Security Management Systems—
Requirements,” second edition. The British Standards
Institution, 2013.
Buccella, Diana. “Five Prevalent Risks for Marketing

Departments.” Resolver, www.resolver.com/blog/top-5-risks-
marketing-teams/, October 18, 2019.
Buccella, Diana. “Five Risks that Keep Sales Leaders Up at

Night.” Resolver, www.resolver.com/blog/top-5-risks-sales-
teams/, October 23, 2019.
“Business Continuity Management” (Global Technology

Audit Guide [GTAG] 10). Altamonte Springs, Florida: The
Institute of Internal Auditors, 2009.
Cau, David. “Governance, Risk and Compliance (GRC)

Software: Business Needs and Market Trends.”
www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/
governance-risk-compliance-software_DCA.pdf.
CERT® Insider Threat Center. “Common Sense Guide to

Mitigating Insider Threats, Fifth Edition.”
resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005
_001_484758.pdf.
“Change and Patch Management Controls: Critical for

Organizational Success,” 2nd ed. Altamonte Springs, Florida:
The Institute of Internal Auditors, 2012.
“COBIT 5: Enabling Processes,”

www.isaca.org/bookstore/cobit-5/cb5ep.
“COBIT 2019 Framework: Introduction and Methodology.”

Schaumburg, Illinois: ISACA, 2018.
Committee of Sponsoring Organizations of the Treadway
Commission. Enterprise Risk Management—Integrating with
Strategy and Performance. Jersey City, New Jersey:
American Institute of Certified Public Accountants, 2017.
Committee of Sponsoring Organizations of the Treadway

Commission. Internal Control—Integrated Framework
(2013). Jersey City, New Jersey: American Institute of
Certified Public Accountants, 2013.
Creely, Edel. “Five BYOD Security Implications and How to

Overcome Them.” Trilogy Technologies, May 26, 2015.
Crowe Horwath LLP. “Enterprise Risk Management for Cloud

Computing.” COSO, www.coso.org/Documents/Cloud-
Computing-Thought-Paper.pdf, 2012.
“Data Analysis Technologies” (Global Technology Audit

Guide [GTAG] 16). Altamonte Springs, Florida: The Institute
of Internal Auditors, 2011.
“Effective Dates of Major Standards.” FASB,

www.fasb.org/cs/Satellite?
c=Page&cid=1176169222185&pagename=FASB%2FPage%
2FSectionPage.
“Evaluating Corporate Social Responsibility/Sustainable

Development” (IPPF Practice Guide). Altamonte Springs,
Florida: The Institute of Internal Auditors, 2010.
“FASB Accounting Standards Codification®—About the

Codification” (v 4.10). FASB,
asc.fasb.org/imageRoot/71/58741171.pdf.
“Framework for Improving Critical Infrastructure
Cybersecurity,” Version 1.0. NIST (National Institute of
Standards and Technology), 2014.
“Gartner Says 8.4 Billion Connected ‘Things’ Will Be in Use

in 2017, Up 31 Percent from 2016.” Gartner,
www.gartner.com/en/newsroom/press-releases/2017-02-07-
gartner-says-8-billion-connected-things-will-be-in-use-in-
2017-up-31-percent-from-2016, February 7, 2017.
Grassi, Paul A., Michael E. Garcia, and James L. Fenton.

“Digital Identity Guidelines” (NIST Special Publication 800-
63-3). NIST (National Institute of Standards and Technology),
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
63-3.pdf.
“Identity and Access Management” (Global Technology Audit

Guide [GTAG] 9). Altamonte Springs, Florida: The Institute of
Internal Auditors, 2007.
“Information Technology Risks and Controls,” 2nd ed.

(Global Technology Audit Guide [GTAG] 1). Altamonte
Springs, Florida: The Institute of Internal Auditors, 2012.
“The IoT Rundown for 2020: Stats, Risks, and Solutions.”

Security Today, securitytoday.com/Articles/2020/01/13/The-
IoT-Rundown-for-2020.aspx?Page=2, January 13, 2020.
ISACA, www.isaca.org.
ISO/IEC 27017:2015, “Information Technology—Security

Technologies—Code of Practice for Information Security
Controls Based on ISO/IEC 27002 for Cloud Services.”
www.iso.org/standard/43757.html.
“ITIL Certifications.” Axelos,
www.axelos.com/certifications/itil-certifications.
“The ITIL Foundation Certificate in IT Service Management

Syllabus,” Version 5.5. Axelos,
www.axelos.com/getmedia/b2d6281d-14aa-45fc-abb7-
4d228810c328/The_ITIL_Foundation_Certificate_Syllabus_v5
-5.aspx, 2013.
Kaplan, Robert S., and David P. Norton. “The Balanced

Scorecard—Measures That Drive Performance.” Harvard
Business Review, January-February 1992,
hbr.org/1992/01/the-balanced-scorecard-measures-that-
drive-performance-2.
“Leases.” FASB, www.fasb.org/cs/Satellite?

c=Page&cid=1351027207574&
d=Touch&pagename=FASB%2FPage%2FBridgePage#sectio
n_2.
“Management of IT Auditing,” 2nd ed. (Global Technology

Audit Guide [GTAG] 4). Altamonte Springs, Florida: The
Institute of Internal Auditors, 2013.
“Managing and Auditing IT Vulnerabilities.” Altamonte

“Measuring Internal Audit Effectiveness and Efficiency” (IPPF

Practice Guide). Altamonte Springs, Florida: The Institute of
“The New Mafia: Gangs and Vigilantes: A Guide to

Cybercrime for CEOs.” Malwarebytes,
www.malwarebytes.com/pdf/white-
papers/Cybercrime_NewMafia.pdf.
OECD. “Tool: Indicators of Procurement Risk.”
www.oecd.org/governance/procurement/toolbox/search/indic
ators-procurement-risk.pdf, 2009.
“Revenue Recognition: Why Did the FASB Issue a New

Standard on Revenue Recognition?” FASB,
www.fasb.org/jsp/FASB/Page/ImageBridgePage&cid=117616
9257359.
Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H.

Scheiner. Sawyer’s Internal Auditing, fifth edition. Altamonte
“Statement of Comprehensive Income.” Audit IT,

www.readyratios.com/reference/accounting/statement_of_co
mprehensive_income.html.
Stippich, Warren W., Jr., and Bradley J. Preber. Data

Analytics: Elevating Internal Audit’s Value. Altamonte
Springs, Florida: The IIA Research Foundation, 2016.
“Strategic Planning Basics.” Balanced Scorecard Institute,

balancedscorecard.org/strategic-planning-basics/.
“Supplemental Guidance.” The Institute of Internal Auditors,

na.theiia.org/standards-guidance/recommended-
guidance/practice-guides/Pages/Practice-Guides.aspx.
Taber, David. “The 11-Point Audit for Your Salesforce.com

System.” CIO, www.cio.com/article/3146983/the-11-point-
audit-for-your-salesforcecom-system.html, December 5,
2016.
“Understanding and Auditing Big Data” (Global Technology

Audit Guide [GTAG]. Lake Mary, Florida: The Institute of
Vito, Kelli. Auditing Human Resource, 2nd ed. Altamonte
Springs, Florida: The IIA Research Foundation, 2010.
“What Is COBIT 5?” ISACA,

support.isaca.org/app/answers/detail/a_id/733/~/what-is-
cobit-5%3F.
“What Is the Difference Between Differential and

Incremental Backups (and Why Should I Care)?” Acronis,
www.acronis.com/en-us/articles/incremental-differential-
backups.
Zamora, Wendy. “Truth in Malvertising: How to Beat Bad

Ads.” Malwarebytes,
blog.malwarebytes.com/101/2016/06/truth-in-malvertising-
how-to-beat-bad-ads/, December 13, 2017.
Index
A
agile project management [1]

anomaly detection [1]
antivirus software [1] , [2]
audit
trails [1]
B
baseline controls [1]
big data [1]
bring-your-own-device (BYOD) policies [1]
BYOD (bring-your-own-device) policies [1]
C
centralized organizational structure [1]
change control [1]
change management [1] , [2]
COBIT [1] , [2]
Committee of Sponsoring Organizations Internal Control—
Integrated Framework [1]
compliance [1]
control(s)
baseline [1]
control(s):malicious software [1]
information technology [1]
internal [1] , [2] , [3] , [4] , [5]
IT general [1]
operational [1]
program change management [1]
control frameworks
ISO 27000 series [1]
ITIL [1]
COSO Internal Control—Integrated Framework [1]
cosourcing [1]
CPM (critical path method) [1]
critical path method [1]
cybersecurity [1]
D
data
analytics [1] , [2] , [3]

big [1]
cleansing [1]
data analysis software [1]
governance [1]
normalizing [1]
privacy [1] , [2] , [3] , [4]
security [1]
decentralized organizational structure [1]
departmentalization [1]
descriptive analysis [1]
device tampering [1]
diagnostic analysis [1]
divisional organizational structure [1]
E
encryption [1]
ethics in data storage [1]
F
fair information practices [1]
FIPs (fair information practices) [1]
firewalls [1]
functional organizational structure [1]
G
Gantt charts [1]
GDPR (General Data Protection Regulation), European Union
[1]
General Data Protection Regulation, European Union [1]
Global Technology Audit Guides
“Assessing Cybersecurity Risk, Roles of the Three Lines

of Defense” [1]
“Information Technology Risks and Controls,” 2nd
Edition [1] , [2]
“IT Change Management, Critical for Organizational
Success,” 3rd Edition [1]
“Management of IT Auditing,” 2nd Edition [1]
governance
data [1]
information security [1]
GTAGs
See: Global Technology Audit
Guides
H
HR (human resources) [1]
human resources [1]
I
identity theft [1]
IDSs (intrusion detection systems) [1]
information risk [1]
information security [1] , [2] , [3] , [4]
information technology
auditing [1] , [2] , [3]

control frameworks [1]
controls [1]
general controls [1]
risks [1]
insider threat programs [1]
internal controls [1] , [2] , [3] , [4] , [5]
International Organization for Standardization
ISO 27000 family of standards [1]
International Standards for the Professional Practice of
Internal Auditing
1210.A3 [1]
1220.A2 [1]
2110.A2 [1] , [2]
intrusion detection/prevention systems [1]
IPSs (intrusion prevention systems) [1]
ITGCs (information technology general controls) [1]
ITIL [1]
L
logistics [1]
M
malicious software [1]
malware [1]
marketing and sales [1]
matrix organizational structure [1]
N
network analysis [1] , [2]
O
objectives [1]
operational controls [1]
operations objectives [1]
organizational structure
centralized [1]
decentralized [1]
departmentalization [1]
divisional [1]
functional [1]
matrix [1]
outsourcing [1]
P
patches [1]
PERT (program evaluation review technique) [1]
piracy, software [1]
Practice Guides
“Auditing Third-Party Risk Management” [1]

“Engagement Planning, Establishing Objectives and
Scope” [1]
predictive analysis [1]
prescriptive analysis [1]
privacy audits [1]
procurement [1]
program alterations [1]
program change management controls [1]
program evaluation review technique [1]
projects
change management [1]

constraints [1]
life cycle of [1]
schedule [1]
scope [1]
teams [1]
R
reporting objectives [1]
risk
assessment [1]
information [1]
information technology [1]
risk and control matrix [1]
risk by process matrix [1]
S
sales and marketing [1]
scope
control [1]
SDLC (systems development life cycle) [1] , [2] , [3] , [4] ,
[5] , [6]
security
cybersecurity [1]
information [1] , [2]
levels of [1]
service-oriented architecture [1]
smart devices [1]
SOA (service-oriented architecture) [1]
software
antivirus [1] , [2]

malicious [1]
piracy [1]
systems development life cycle [1] , [2] , [3] , [4] , [5] , [6]
T
text analysis [1]
Three Lines Model [1]
Trojan horses [1]
V
VirWare [1]
W
web services [1]

Iiav7ce Part3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iiav7ce Part3

Uploaded by

Copyright:

Available Formats

License Agreement for The IIA’s CIA®

Challenge Exam Study Guide

By opening and using The IIA’s CIA® Challenge Exam Study

(i) That The Institute of Internal Auditors is the

(ii) Provided that the required fee for use of the

(iii) User has no right to print or make any copies, in

Every eﬀort has been made to ensure that all information is

Subject matter experts

Past subject matter experts

This part of The IIA’s CIA Challenge Exam Study Guide

Internal auditors who are perceived as having business

In brief, the sections in Part 3 are as follows:

Section A: Business Acumen. Strategic planning

Section B: Data Analytics. Data analytics types,

Section C: Information Technology and Security.

This section is designed to help you:

In a tightly competitive market, customers demand more for

Topic 1: Strategy, Globalization,

Objective and Strategy Setting

Needs to clearly indicate the organization’s purpose—its

Serves as a day-to-day charge to the people in the

The vision statement conveys what the organization

Mission and vision statements are used to guide the

Strategic Objectives, Strategic Planning, and

Strategic planning is a disciplined upper management

Strategic plans are high-level, long-term plans for multiple

The chief audit executive (CAE) must consult with the

An organization’s strategic plans need to reﬂect global and

Global and Competitive Considerations

Globalization has expanded most organizations’

Labor market. Access to low-cost labor, high-skill labor, a

Suppliers and raw materials. Access to materials at

Customer base. Established customer base/market

Process and methodology maturity. Risk, control,

Supply chain and transportation. Relative cost and

Competitor maturity and ease of market entry.

Technology. Labor-saving or insight-generating

Regional economy and politics; culture, legal, and

Successful strategies leverage the organization’s

Internal auditors may be in a position to evaluate if the

Mission and Value Alignment

Organizations may align their mission with their values and

Operations, Reporting, and

The entity structure, which represents the overall entity,

The rows represent the ﬁve components required for

The columns represent the operations, reporting, and

Note that the categories are distinct but often overlap. An

Organizational Structure and the

Organizational structure is part of an organization’s control

The attitude and actions of the board and

When auditing the control environment, internal auditors

The introduction to The IIA’s International Standards for the

Understanding and documenting the structure of an

Each structure will have diﬀerent risks and will need

When internal auditors show sensitivity to the organizational

Centralized and Decentralized

A centralized structure (also called a hierarchical,

This structure is more bureaucratic, with a top-down

Employees have little autonomy and must gain approval

A weakness is that a “silo” mentality can form, where

A decentralized structure (also called a ﬂat structure) is

Decision making is dispersed in the lower levels of the

Employees have more freedom to take action and have