Page 130 - Courses
P. 130

IT Essentials — Assessing Infrastructure and Networks

             TOPIC 6: ROLE OF INTERNAL AUDIT

            The Role of Internal Audit

            This unit focuses on internal audit’s examination of evidence for the purpose of providing an
            independent assessment on the organization’s governance, risk management, and control
            processes related to IT infrastructure and networks.

            Services

            The internal audit activity can provide a range of assurance and advisory services related to
            infrastructure and networks. For example, services may include:

            Assurance services include:
                 Assessing infrastructure risks and controls.
                 Assessing network risks and controls.

            Advisory services include:
                 Facilitating an inherent risk assessment, based on the results of planning-related architecture
                   reviews and on vendors’ completed requests for proposal (RFP).
                 Performing a penetration test on a newly deployed network segment or webserver (if
                   certified as ethical hackers — individuals who conduct non-malicious penetration testing).
                 Conducting a training session for the infrastructure and network teams on how to develop
                   control objective statements and how to design control tests to meet an upcoming
                   regulatory guidance.

            Assessing Infrastructure and Networks

            Because infrastructure and networks are complex, it is helpful for internal audit activities to utilize
            frameworks to conduct their assessments. One such framework is The Committee of Sponsoring
            Organizations of the Treadway Commission’s (COSO) Internal Control-Integrated Framework (2013).

            COSO defines internal control as, “A process, effected by an entity’s board of directors,
            management, and other personnel. This process is designed to provide reasonable assurance
            regarding the achievement of objectives in:
                 Effectiveness and efficiency of operations.
                 Reliability of financial reporting.
                 Compliance with applicable laws and regulations.”

            IT controls encompass processes that provide assurance for information and information services,
            and that help control or mitigate the risks associated with an organization’s use of technology.
            These controls range from corporate policies and their implementation within coded instructions;
            physical access protections to trace actions and transactions, and the individuals who are
            responsible for them; and automatic edits to reasonability analyses for large bodies of data. It is not
            necessary for the CAE to know everything about IT controls or the full continuum of technical
            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   125   126   127   128   129   130   131   132   133   134   135