Page 38 - Courses
P. 38
IT Essentials — Introduction to IT
IIA Standard 1200: Proficiency and Due Professional Care, states, “Engagements must be performed
with proficiency and due professional care,” and IIA Standard 1210: Proficiency, states, “Internal
auditors must possess the knowledge skills, and other competencies needed to perform their
individual responsibilities. The internal audit activity collectively must possess or obtain and apply
the knowledge, skills, and other competencies needed to perform its responsibilities.” Internal
auditors should have sufficient knowledge of key IT risks and controls and available technology-
based audit techniques to perform their assigned work.
When assigning auditors to an engagement that may require specific skills and abilities, such as an
audit with IT components, IIA Standard 2230: Engagement Resource Allocation states, “Internal
auditors must determine appropriate and sufficient resources to achieve engagement objectives
based on an evaluation of the nature and complexity of each engagement, time constraints, and
available resources.” The interpretation of this standard states, “Appropriate refers to the mix of
knowledge, skills, and other competencies needed to perform the engagement.” Strengthening
general IT knowledge will assist the internal audit activity and the individual internal auditor in
obtaining the skillsets required to perform IT related audits.
If an internal audit activity lacks personnel with the skills necessary to perform an audit that
encompasses aspects of the IT environment, it may choose to outsource or cosource engagements.
In doing so, the internal audit activity retains responsibility for the audit as a whole. IIA Standard
2340: Engagement Supervision states, “Engagements must be properly supervised to ensure
objectives are achieved, quality is assured, and staff is developed.”
TOPIC 3: ASSESSING IT CONTROLS
Assessing IT Controls
Assessing IT controls begins with a sound conceptual understanding of IT controls and culminates in
providing the results of risk and control assessments.
Important Controls
The CAE should gain an overview of the important controls and what business processes they
support as a first step in understanding IT risks and controls. Process descriptions and
organizational charts are some of the tools that can be used to gain an overview. Additionally, the
CAE should obtain an understanding of key IT initiatives to comprehend how the IT infrastructure
and applications may be changing during a defined period. This information will enable the CAE to
perform an initial risk assessment that allows for a deeper analysis.
Continuous Learning
The CAE should oversee the pursuit of continuous learning and reassessment as new technologies
emerge, and as dependencies, strategies, risks, and requirements change.
Questions
As with any assessment, when evaluating the control environment, the internal auditor must ask
questions to obtain information. On the following screens we will provide some sample questions,
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.