Page 38 - Courses
P. 38

IT Essentials — Introduction to IT

            IIA Standard 1200: Proficiency and Due Professional Care, states, “Engagements must be performed
            with proficiency and due professional care,” and IIA Standard 1210: Proficiency, states, “Internal
            auditors must possess the knowledge skills, and other competencies needed to perform their
            individual responsibilities. The internal audit activity collectively must possess or obtain and apply
            the knowledge, skills, and other competencies needed to perform its responsibilities.” Internal
            auditors should have sufficient knowledge of key IT risks and controls and available technology-
            based audit techniques to perform their assigned work.

            When assigning auditors to an engagement that may require specific skills and abilities, such as an
            audit with IT components, IIA Standard 2230: Engagement Resource Allocation states, “Internal
            auditors must determine appropriate and sufficient resources to achieve engagement objectives
            based on an evaluation of the nature and complexity of each engagement, time constraints, and
            available resources.” The interpretation of this standard states, “Appropriate refers to the mix of
            knowledge, skills, and other competencies needed to perform the engagement.” Strengthening
            general IT knowledge will assist the internal audit activity and the individual internal auditor in
            obtaining the skillsets required to perform IT related audits.

            If an internal audit activity lacks personnel with the skills necessary to perform an audit that
            encompasses aspects of the IT environment, it may choose to outsource or cosource engagements.
            In doing so, the internal audit activity retains responsibility for the audit as a whole. IIA Standard
            2340: Engagement Supervision states, “Engagements must be properly supervised to ensure
            objectives are achieved, quality is assured, and staff is developed.”

             TOPIC 3: ASSESSING IT CONTROLS

            Assessing IT Controls

            Assessing IT controls begins with a sound conceptual understanding of IT controls and culminates in
            providing the results of risk and control assessments.

            Important Controls
            The CAE should gain an overview of the important controls and what business processes they
            support as a first step in understanding IT risks and controls. Process descriptions and
            organizational charts are some of the tools that can be used to gain an overview. Additionally, the
            CAE should obtain an understanding of key IT initiatives to comprehend how the IT infrastructure
            and applications may be changing during a defined period. This information will enable the CAE to
            perform an initial risk assessment that allows for a deeper analysis.

            Continuous Learning
            The CAE should oversee the pursuit of continuous learning and reassessment as new technologies
            emerge, and as dependencies, strategies, risks, and requirements change.

            Questions
            As with any assessment, when evaluating the control environment, the internal auditor must ask
            questions to obtain information. On the following screens we will provide some sample questions,
            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
   33   34   35   36   37   38   39   40   41   42   43