Page 467 - ITGC_Audit Guides
P. 467

GTAG — Introduction




            Introduction                                        Related IIA Guidance
                                                                International Professional Practices Framework (IPPF)
            Internal audit’s approach to evaluating the effectiveness   guidance related to continuous auditing, continuous
            of risk management and internal control traditionally has   monitoring, and continuous assurance includes:
            been retrospective, with testing of controls performed on a
            cyclical basis — often months after business activities have   Standard 1210: Proficiency
            occurred. Two factors are driving internal audit’s efforts to   Internal auditors must possess the knowledge, skills, and
            modify its historically retrospective approach:     other competencies needed to perform their individual
                                                                responsibilities. The internal audit activity collectively
              •  The organization needs to keep pace with the business   must possess or obtain the knowledge, skills, and other
                by responding more timely to accelerated rates of   competencies needed to perform its responsibilities.
                change and emerging risks.
              •  Advancements in technology have enabled ongoing   Standard 2010: Planning
                risk assessments and ongoing control assessments.  The CAE must establish a risk-based plan to determine the
                                                                priorities of the internal audit activity, consistent with the
            The first edition of this guidance, The IIA’s Global   organization’s goals.
            Technology Audit Guide (GTAG®) 3: Continuous Auditing –
            Implications for Assurance, Monitoring, and Risk Assessment,   Standard 2120: Risk Management
            focused on transactional monitoring and established   The internal audit activity must evaluate the effectiveness
            the alignment between continuous auditing and The   and contribute to the improvement of risk management
            Committee of Sponsoring Organizations of the Treadway   processes.
            Commission’s (COSO’s) Internal Control–Integrated
            Framework (1992). This second edition relates continuous   Standard 2130: Control
            auditing to the three lines of defense in effective risk   The internal audit activity must assist the organization
            management and control and expands its focus to include   in maintaining effective controls by evaluating their
            not only transactional data, but also other data sources,   effectiveness and efficiency and by promoting continuous
            such as security levels, logging, incidents, unstructured data,   improvement.
            and changes to IT configurations, application controls, and
            segregation of duty controls.                           2130. A1 – The internal audit activity must
                                                                    evaluate the adequacy and effectiveness of controls
            Business Significance                                   in responding to risks within the organization’s
            In many organizations, management and the board         governance, operations, and information systems
            are showing signs of fatigue from actual or perceived   regarding the:
            duplication or overlap of reviews of risk management and   •  Achievement of the organization’s strategic
            controls among the three lines of defense. Continuous     objectives.
            auditing has the potential to mitigate this fatigue by:  •  Reliability and integrity of financial and operational
                                                                      information.
              •  Optimizing the balance between the review efforts of   •  Effectiveness and efficiency of operations and
                internal audit and management.                        programs.
              •  Promoting a more efficient use of organizational   •  Safeguarding of assets.
                                                                    •  Compliance with laws, regulations, policies,
                resources.                                            procedures, and contracts.
              •  Reducing the cost of assessing and providing assurance
                over the adequacy of internal controls.         Standard 2320: Analysis and Evaluation
              •  Providing an ongoing evaluation of risks and controls.  Internal auditors must base conclusions and engagement
              •  Providing timely reporting of gaps and weaknesses,   results on appropriate analyses and evaluations.
                enhancing the opportunity for prompt corrective
                action.                                         Practice Advisory (PA) 2320-4: Continuous Assurance
              •  Providing flexibility necessary to prioritize
                remediation.                                    GTAG 14: Auditing User-developed Applications
              •  Promoting better understanding of business
                performance, risks, and compliance.             GTAG 16: Data Analysis Technologies
              •  Enabling internal audit to provide continuous
                assurance regarding controls, risks, and opportunities.

                                                              2
   462   463   464   465   466   467   468   469   470   471   472