Page 378 - ITGC_Audit Guides
P. 378

Planning Engagements to Assess Insider Threat

                   Programs


                   Standard 2200 – Engagement Planning instructs that internal auditors must develop and document
                   a plan for each engagement. Standard 2201 – Planning Considerations adds that internal auditors
                   must consider:


                         The strategies and objectives of the activity being reviewed and the means by which the
                          activity controls its performance.

                         The significant risks to the activity’s objectives, resources, and operations and the means
                          by which the potential impact of risk is kept to an acceptable level.

                         The adequacy and effectiveness of the activity’s governance, risk management, and
                          control processes compared to a relevant framework or model.

                         The opportunities for making significant improvements to the activity’s governance, risk
                          management, and control processes.


                   Engagement planning typically includes several steps, as Figure 4 depicts, that help internal auditors
                   gain an understanding of the area or process that will be reviewed and document the information
                   that  supports  the  engagement  plan  and  work  program.  Because  reviewing  and  documenting
                   information is an ongoing process, the steps may not be completely distinct and linear.


                   Figure 4: Internal Audit Engagement Planning Steps


                      Understand the
                       context and          Understand the         Conduct a             Establish
                      purpose of the        process or area      preliminary risk      engagement
                                            under review.
                                                                  assessment.
                       engagement.                                                      objectives.
                                                                              Establish
                                Prepare the work         Allocate
                                  program.              resources.          engagement
                                                                               scope.


                   Note: Several of the steps depicted in Figure 4 have been addressed in detail in other practice guides issued by The IIA
                   (see Appendix A).



                   Understanding Engagement Context and Purpose

                   This step is necessary to ensure that the goals and objectives set forth in the internal audit plan are
                   accomplished and that stakeholders’ expectations are properly included in the engagement plan.
                   For ad hoc engagements, or engagements requested by senior management or the board after a
                   significant change in the business or technology environment, this step is critical to ensure that



                         www.theiia.org                                      Auditing Insider Threat Programs   11
   373   374   375   376   377   378   379   380   381   382   383