Roopesh Shah (CISSP, CISM, CISA, CRISC)
I n f o r m a t i o n S e c u r i t y & I T A u d i t C o n s u l t i n g
Building Internal Audit Function
- Gaining stakeholder commitment
- Developing a road map
- Developing the infrastructure
- Defining risk assessment methodology
- Current Emerging Risks
Risk Assessment
Risk Assessment Worksheet
- Risk Name
- Risk/Opportunity statement
- Responsible Official
- Risk or Opportunity
- Risk or Opportunity Category
- Impact Score and Analysis on the org's mission, goals and competitiveness and existing mitigation efforts already in place
- Likelihood Score and Analysis (Determine the likelihood a risk event could occur)
- Overall score (multiply the impact and likelihood scores to come up with the overall score)
- Recommended response (additional mitigation)
Annual Plan
Continuous Quarterly Business Monitoring
Inform business about the upcoming Audit
- Resources & budget for planning must be agreed upon by IA management
Introduction / Scoping Meeting
- Understand the business process by gathering docs or building a process flow diagram
- Risk Control Matrix for the entity
- Audit Planning Memo
- Audit Announcement Memo
- Execute Design Effectiveness Assessment (DEA) Testing
- Develop Operating Effectiveness Testing (OET) test steps
Design Effective Assessment - Validate whether the following is present
-
Alignment between the controls and risks identified (for example: whether business processes and related controls appear to be effective in achieving the stated objectives and managing its risks)
-
Frequency controls are applied (for example: whether controls will prevent or detect identified risks in a timely fashion)
-
Knowledge and experience of the individuals who are performing the controls
-
Segregation of duties relevant to the process being controlled
-
Timeliness in addressing issues and exceptions that result from control activities (review past control design issues)
-
Reliability of information used in performing controls (confirm availability of sufficient evidence to ensure that the control is effectively performing)
-
Period the controls cover
-
Monitoring and enforcement of compliance with designed controls
The auditor should test the design effectiveness of controls by determining whether the company's controls, if they are operated as prescribed by person possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.
Example:segregation of duties - logs reviewed by the database administrator
if it is small company and they don't have enough employees for segregation of duties then the auditor should check if it has any compensating controls.
Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.
Details:
- Discuss and agree upon key risks and controls with Business including areas in scope
- Obtain Management Control Assessment equivalent
- Obtain, discuss and assess self-identified issues
- Complete and document DEA testing
- Agree on audit scope with Business as reflected in the AAM
- Create OET test steps and define sampling approach and sample sizes
- Complete and agree on contents of APM and R&CM by impacted IA parties