Download
1 / 49
490 likes | 624 Views
Today's Agenda. ATC and the GTAG seriesWhat is the ATC, activities and deliverablesGlobal Technology Audit Guides (GTAG)Upcoming GTAGsIPPFGTAG Resources and InformationQ
E N D
2. Today’s Agenda ATC and the GTAG series
What is the ATC, activities and deliverables
Global Technology Audit Guides (GTAG)
Upcoming GTAGs
IPPF
GTAG Resources and Information
Q & A
Break
3. Today’s Agenda, cont.
4. Who is the ATC? Advanced Technology Committee
International committee of the IIA
One of 6 Professional Practices Committees of the Professional Practices Council
26 members from companies, accounting firms and consulting firms from around the world
All members have several years of in-depth experience in the IT risk and assurance space as well as heavily credentialed
The vast majority of IIA guidance is written by these 6 committees
6. What is the ATC? Mission
As the global advanced technology committee of The IIA, we identify, research, and assist in the development of strategies and implementation of programs to position The IIA as a leading provider of information technology guidance to internal auditors
7. Major ATC Activities Develop pertinent guidance for our members regarding information risk management, control and governance practices
Work with the Internal Audit Standards Board and the Professional Issues Committee to develop professional guidance
Advise education related committees on technology issues for continuing professional development
Work with The IIA Research Foundation on technology issues through related research
8. Major ATC Deliverables GAIT – Guide to the Assessment of IT General Controls Scope Based on Risk
GAIT I – The GAIT Methodology
Set of IT Principles and Methodology that was designed to scope IT general controls for SOX 404
Initial Principles released in 12/06
Initial Methodology released in 02/07
GAIT II – GAIT for IT General Control Deficiency Assessment
GAIT-R or GAIT III – GAIT for Business and IT Risk
Guidance on scoping the entire population of IT controls based on a top-down risk based approach
GAIT Case Study – PCI Scoping using GAIT-R
9. Major ATC Deliverables Global Technology Audit Guide
Provide easy-to-understand IT audit guides
Target audience Chief Audit Executives, Audit Committees and Executive Management
Audit guides published on a global scale in English, French and Spanish
Under the new International Professional Practices Framework (IPPF) they fall into the “Strongly Recommended Guidance” category
Publish 2 to 4 GTAGs per year
13 published in multiple languages since 2005
10. Why GTAG? Many CAEs face the challenge of:
Understanding risks posed by information technology
How to help their organizations manage IT risk
How to audit IT
The majority of the prevailing IT risk/IT audit guidance comes from ISACA, but is written at a much more granular, technical level
Given the broad responsibility of CAEs, the GTAG series provides them a high level overview on particular IT risk management and control topics
11. GTAG Development Process Advanced Technology Committee
Select topics based on IIA member input
Co-authoring
Oversee guide development
Professional Practices Committee (6)
IIA Partners
AICPA, Center for Internet Security (CIS), Carnegie Mellon, ISSA, ITPI, NACD and SANS Institute
IIA global affiliates
Concept to Publish = about 52 weeks
12. Thirteen GTAGs Published
13. Thirteen GTAGs Published, cont
14. Thirteen GTAGs Published, cont
15. GTAGs to be Released in 2010 or 2011 Auditing User Developed Applications
Q2 2010, June International Conference
Auditing Security Governance
Q3 or Q4 2010
IT Governance
Q3 or Q4 2010
Technology Product Development Lifecycle
Q4 2010
Data Analysis Tools and Technologies/CAATs
Q4 2010
16. GTAGs to be Released in 2010 or 2011, cont.
17. Authoritative guidance is technical guidance authored and endorsed by The IIA, following due process. It actually is restricted to the guidance developed and strictly controlled by the technical committees of The Institute.
AUTHORITATIVE GUIDANCE:
Definition
Code of Ethics
International Standards
Practice Advisories
AND THE IPPF BRINGS TWO NEW CATEGORIES INTO THE FRAMEWORK:
Position Papers
Practice guides
Authoritative guidance is technical guidance authored and endorsed by The IIA, following due process. It actually is restricted to the guidance developed and strictly controlled by the technical committees of The Institute.
AUTHORITATIVE GUIDANCE:
Definition
Code of Ethics
International Standards
Practice Advisories
AND THE IPPF BRINGS TWO NEW CATEGORIES INTO THE FRAMEWORK:
Position Papers
Practice guides
18. GTAG Resources and Information Members ONLY!!! .pdf download from the IIA website for zero cost
Non-Members .pdf download from the IIA bookstore for $25
www.theiia.org/guidance/technology
Purchase printed copy from the IIA Bookstore
Only GTAGs 1-11. GTAG 12 forward will not be available for purchase in printed hardcopy
(US$ 25 for IIA members)
(US$ 30 for non-members)
20. 10 minute break
21. GAIT The What and Why
Evolution, Principles and Methodology
GAIT I – The GAIT Methodology
GAIT II – ITGC Deficiency Assessments
GAIT III or GAIT-R - Business and IT Risk
Case Study – PCI scoping using GAIT III
Resources and Information
Q & A
22. What is GAIT Guide to the Assessment of IT General Controls Scope Based on Risk
Four principles and a methodology for top-down, risk-based scoping of IT general controls
SOX §404
IT Audits
Business Audits
PCI
23. Why GAIT and its History GAIT I – Methodology
Initially created to address the lack of ITGC scoping guidance for §404
Available guidance was control focused, not risk focused
Significant compliance and audit costs
Developed by members of the Advanced Technology Committee (ATC of the IIA), other committee members and industry professionals
Advisory Board oversight consisting of CPA firms, SEC registrants and the PCAOB
Initial principles released under AS/2 in February 2006
Initial methodology released under AS/2 in February 2007
Updated for AS/5
24. Why GAIT and its History GAIT II – ITGC Deficiency Assessment
The “9 Firm document” A Framework for Evaluating Control Exceptions and Deficiencies needed some clarification
Expanded the “9 Firm document” by providing additional guidance on how to evaluate ITGC exceptions or deficiencies
Developed by members of the Advanced Technology Committee (ATC of the IIA) and CPA firms
Published March 2008
25. Why GAIT and its History GAIT III or R – Business and IT Risk
Focuses on identifying the key IT controls across the enterprise that are essential to achieving business goals and objectives
Primarily developed for internal auditors
Improves the efficiency and effectiveness of internal audits through minimizing attention to IT risks that are not critical to the business and the achievement of its objectives
Developed by members of the Advanced Technology Committee (ATC of the IIA) and other committee members
Published March 2008
26. What is GAIT I – Methodology GAIT is a reasoned thinking process that continues the top-down, risk-based approach in AS/5 to assess ITGC risks
It helps identify risk in IT processes that could affect critical functionality needed to prevent/detect material errors
Control objectives are identified in GAIT, but not specific key controls
