Page 388 - ITGC_Audit Guides
P. 388

Establishing Engagement Objectives


                   The objectives of the engagement depend on the
                   context  and  purpose  of  the  engagement.  For   Help with Engagement Planning
                   compliance audits, the objectives are derived from   For detailed instructions on
                   the  compliance  requirements  that  must  be
                                                                      developing the elements below,
                   reviewed. For risk-based assurance engagements,    see IIA Practice Guide “Engagement
                   objectives are based on the initial purpose of the
                                                                      Planning: Establishing Objectives
                   engagement and the results of the risk assessment.   and Scope”:
                   For  consulting  engagements,  objectives  must
                                                                        Risk scenarios.
                   address  governance,  risk  management,  and
                                                                        Risk and control matrix.
                   control processes to the extent agreed upon with
                                                                        Risk prioritization maps
                   the client (Standard 2210.C1).
                                                                          (i.e., heat maps).
                   Engagement Objective Examples

                   Assurance engagement (Compliance) – This engagement will evaluate compliance with the GDPR that
                   requires  protection  of  personally  identifiable  information  (PII).  In  this  example,  the  criteria  for
                   evaluation, required by Standard 2210.A3, are the applicable privacy requirements  and  controls
                                  5
                   defined in GDPR.

                   Assurance  engagement  (Risk-based)  –  This  engagement  will  evaluate  the  effectiveness  of  the
                   insider threat management program using as a reference the Framework for Improving Critical
                   Infrastructure  Cybersecurity  published  by  NIST.  In  this  example,  the  criteria  for  evaluation,  as
                   required by Standard 2210.A3, is the NIST framework, presented in Appendix C as an engagement
                   work program.

                   Consulting engagement – This engagement will evaluate the effectiveness of the process to identify
                   and classify digital assets. The internal audit activity will provide  recommendations on how to
                   improve the  process (if necessary). In  this  example, the criteria  for evaluation, as required by
                   Standard 2210.A3, is determined by the stakeholder who requested the review.


                   Establishing Engagement Scope


                   The engagement scope sets the boundaries of the engagement and outlines what will be included
                   in  the  review.  The  scope  may  define  such  elements  as  the  specific  processes  and/or  areas,
                   geographic locations, and time period (e.g., point in time, fiscal quarter, or calendar year) that will
                   be covered by the engagement, given the available resources.

                   Once engagement objectives have been established, the internal auditor must establish a scope
                   sufficient to achieve the engagement objectives (Standard 2220 – Engagement Scope), taking into



                   5  For more information about GDPR see, https://gdpr-info.eu.


                         www.theiia.org                                      Auditing Insider Threat Programs   20
   383   384   385   386   387   388   389   390   391   392   393