Page 377 - ITGC_Audit Guides
P. 377
components of the program (e.g., governance, information security, physical security, or hiring
practices) or may include those components in internal audit engagements that include critical
digital assets in the scope. For example, internal auditors may assess whether the security
monitoring functions have the necessary mechanisms to detect anomalies from within that could
indicate compromised credentials or authorized users abusing their privileges. If the organization
has already implemented mechanisms to monitor the external and internal environment, internal
auditors may assess the effectiveness and efficiency of such control processes and may help
promote continuous improvement (Standards 2120 – Risk Management and 2130 – Control).
The CAE must consider whether the internal audit activity collectively possesses the appropriate
knowledge, skills, and other competencies to perform such engagements (Standard 1210 –
Proficiency). For assurance engagements, internal auditors are expected to have sufficient
knowledge of key IT risks and controls; however, they are not expected to have the expertise of
internal auditors whose primary responsibility is IT auditing (Standard 1210.A3). If the internal audit
activity lacks the necessary competencies to perform an assurance engagement involving insider
threats, the CAE must obtain competent assistance and advice, according to Standard 1210.A1.
Internal auditors should collaborate with personnel in IT operations and information security to
leverage the required technical expertise to ensure a comprehensive assessment of insider threats.
Additionally, the CAE should coordinate activities and share information with these functions to
leverage capabilities, ensure proper assurance coverage, and minimize duplication of efforts, as
described in Standard 2050 – Coordination and Reliance.
www.theiia.org Auditing Insider Threat Programs 10
