Page 379 - ITGC_Audit Guides
P. 379
internal auditors understand fully the expectations of senior management. For example, after a
merger or acquisition, senior management may need to understand whether the acquired
organization has introduced new risks to the environment and whether those risks are being
addressed by the existing insider threat program.
Understanding the Process or Area Under Review
There are two critical areas the internal auditor
must understand clearly when planning an Fraud Risk
engagement to assess how well the organization
Because fraud is one of the key risks
is managing risks related to insider threats.
related to insider threats, it is
Internal auditors should first understand the
important to obtain information
nature of insider threats and the practices that
about fraud allegations, occurrences,
may be implemented to identify, protect, detect,
and investigations.
respond to, and recover from an IT security
incident. To build their knowledge, internal
For detailed instructions on how to
auditors may consider using established security
incorporate fraud risk into
frameworks, programs, and recommendations.
engagement planning, see IIA
Appendix E lists resources and agencies that
Practice Guide “Engagement
provide guidance and assistance related to
Planning: Assessing Fraud Risks.”
information security, and Appendix F offers
additional resources. Internal auditors may start
with this information but should identify specific frameworks and recommendations applicable to
the industry, market, and geographical location in which their organization operates.
In addition, internal auditors should understand the organization and its objectives. Understanding
the business objectives provides a basis for internal auditors to identify risks that should be
included in the preliminary engagement-level risk assessment (as required by Standard 2210.A1).
Insider Threat Management
Insider threats cannot be completely eliminated, but they can be managed to prevent or reduce their
impact if they materialized. An insider threat program is a combination of policies, procedures, and
controls to identify, prevent, detect, respond to, and recover from an IT security incident.
The primary purpose of implementing an insider threat program is to protect critical assets, which
can be physical and logical and include people, facilities, systems, and information. Trying to protect
everything the organization considers an asset can be a daunting and expensive proposition; thus it
is important that the first step in the process is to identify and classify critical assets.
www.theiia.org Auditing Insider Threat Programs 12
