Audit. In today s constantly changing business. The Relevant

Similar documents
ERP, CLOUD & TAX NAVIGATING MAJOR DECISIONS IN YOUR BUSINESS

See your business in a new way.

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Sage MAS 90 and 200. Extended Enterprise Suite S

Risk Management Solution for NPO

Simply Sophisticated. Information Security and Compliance

What you need to know when your customers and suppliers say it's time you started using EDI

Corporate Governor. New COSO Framework links IT and business process

ENTERPRISE RISK MANAGEMENT FOR BANKS

Field Service in the Cloud: Solving the 5 Biggest Challenges of Field Service Delivery

Transaction Processing and Enterprise Resource Planning Systems. Goal of Transaction Processing. Characteristics of Transaction Processing

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Reduce Costs and Improve Materials Management with Mobile Technology

Count, manage and move: Warehouse inventory control strategies

Understanding Stock and Inventory Control

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Guide To Increasing Online Sales - The Back (Office Story)

Coping with a major business disruption. Some practical advice

Scope The data management framework must support industry best practice processes and provide as a minimum the following functional capability:

Pharmaceutical Compliance and Regulatory Congress 2009

4th Annual ISACA Kettle Moraine Spring Symposium

Strategies for optimizing your cash management

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Managing Procurement with SAP Business One

SafeNet DataSecure vs. Native Oracle Encryption

ERM006 ERM and Business Continuity Management: Together at Last RIMS Annual Conference April 13, 2016

University of Sunderland Business Assurance Information Security Policy

Why you should adopt the NIST Cybersecurity Framework

Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives.

Globalization Drives Market Need for Supply Chain Segmentation: Research & Key Strategies

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Internal Controls and Risk Management Report

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Know how much inventory is on hand. Inventory is money. Old and obsolete inventory can paralyze your business

Outsourcing Corporate Tax Services

What to look for if you need Advanced Inventory Management

ENTERPRISE MANAGEMENT AND SUPPORT IN THE AUTOMOTIVE INDUSTRY

Advisory Services Application Services. The right choice.* Implementation starts with selection. *connectedthinking

How To Save Money At The University Of California

Management Update: The Eight Building Blocks of CRM

AdvAnced Business MAnAger The NexT GeNeraTioN of accounting software

Hand IN Hand: Balanced Scorecards

Enterprise Risk Management

Bar Coding ROI in Mail Order Fulfillment and Distribution Centers APPLICATION WHITE PAPER

Enhance Customer Service with Integrated Scale Management Software from SAP

RISK ADVISORY SERVICES. HYDRO UTILITIES Overview of Internal Audit & Control Services: 2014 Credentials

Clarius Group Risk Management Policy and Framework

OCC 98-3 OCC BULLETIN

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Navigating the NIST Cybersecurity Framework

S 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.

Impact of New Internal Control Frameworks

Effective Model Risk Management for Financial Institutions: The Six Critical Components

11 billion. reasons to say thank you to barcodes

ENTERPRISE MANAGEMENT AND SUPPORT IN THE INDUSTRIAL MACHINERY AND COMPONENTS INDUSTRY

Viega Supply Chain. The global leader in plumbing, heating and pipe joining systems

ISMS Implementation Guide

DRIVING B2B SALES IN THE AGE OF DIGITAL

Third party assurance services

Driving Operations through Better, Faster Decision Making

WHY ERP NO LONGER BELONGS IN THE BACK OFFICE IT S COMING OUT AND IT MEANS BUSINESS

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

White Paper Advanced Inventory Control

BETTER SOFTWARE FOR BETTER BUSINESS.

The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005

Mapping the Technical Dependencies of Information Assets

Enterprise risk management: A pragmatic, four-phase implementation plan

Four distribution strategies for extending ERP to boost business performance

8 Crucial Requirements for Supply Chain Optimization

Distributed Warehouse. Directing Your Warehouse Efficiency

Developing an Effective Enterprise Risk Management Program

Why is it so difficult to grow revenue, identify emerging customers and partners, and expand into new markets through the indirect sales channel?

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

FULFILLING EXPECTATIONS: THE HEART OF OMNICHANNEL RETAILING

Internal Control Integrated Framework. May 2013

Transform Audit Practices and Move Beyond Assurance

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

RSA ARCHER AUDIT MANAGEMENT

Risk Assessment & Enterprise Risk Management

How To Transform It Risk Management

Warehouse Management System

Sage ERP X3 What's new in Sage ERP X3 6.5?

Enterprise Risk Management

COSO 2013 Internal Control Framework

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Understanding the impact of the connected revolution. Vodafone Power to you

Tapping the benefits of business analytics and optimization

ITIL Managing Digital Information Assets

IT Insights. Managing Third Party Technology Risk

Ball Corporation. Situation. Ball Corporation strengthens global account management by using CRM in the cloud

How to build a great compliance program for your U.S. imports

Effective AML Model Risk Management for Financial Institutions: The Six Critical Components

The Business Case for Information Security. White Paper

Transcription:

Edward Hill, CIA, CPA Executive Director Business Advisory Services Grant Thornton LLP The Relevant Audit IT GAIT-R provides a top-down, risk-based approach to scoping IT risks and processes into audits. In today s constantly changing business environment, with new threats and vulnerabilities emerging daily that put mission objectives at risk, auditors can make IT audits more relevant by tying them to the strategic objectives of the organization. In the past, IT audits typically focused on the IT control environment and technical infrastructure. As a result, auditors may have paid too much attention to details in IT-specific areas that were dated or irrelevant to achieving current business goals, rather than focusing resources on control and risk elements that support current mission-critical goals. Auditors must broaden the scope of IT audits to include the control and risk environment relevant to business objectives, which will differ based on each organization s dependence on technology to meet strategic objectives. Using this 57

approach and drawing on The IIA s Guide to the Assessment of IT Risk (GAIT) guidance, auditors will conduct a more meaningful audit that examines true business risk. As such, the level and type of IT support will be different for each organization. GAIT-R focuses on the likelihood of risk events occurring to determine the level of IT audit control testing needed. Under loss of the availability of applications and the infrastructure that supports them is almost always a critical risk if the applications are customer facing. Customers in today s information age demand 58 PRACTICAL GUIDANCE GAIT for Business and IT Risk (GAIT-R), issued by The IIA in 2008, is a method for scoping IT audits by sifting key controls through an eight-step series of top-down, risk-based filters. The result is a streamlined scope that focuses the IT audit on those key controls and risks across the enterprise that are essential to achieving business goals and objectives. The GAIT-R guidance takes a holistic view of audit scoping that includes financial, operational, legal, and compliance functionality as outlined in The Committee of Sponsoring Organizations of the Treadway Commission s (COSO s) Internal Control Integrated Framework. COSO identifies three broad internal control objectives: financial reporting, such as completeness, accuracy, proper valuation, and safeguarding of assets; operations, including items like price or customer service; and legal and regulatory. Of these three, only financial reporting requirements cut across all organizations. Operations and legal and regulatory requirements differ from company to company depending on its competitive niche and industry. A lowcost provider will have a different risk profile than a company competing on customer service in the same industry. GAIT Methodology Steps the model, the potential failure in an IT process, or risk occurence, is assessed to determine what effect the failure may have on the achievement of business objectives. If delivering timely information to customers were a critical business objective of a manufacturing company, the GAIT-R model would assess the potential impact that failing to meet this objective might have on the organization. To an e-commerce company, system availability is crucial to ongoing sales as well as an overall goal of customer confidence and loyalty. If the company has a technology failure that causes the purchasing system to go down, not only does that company lose sales, customers also may lose confidence in the company and migrate to other online providers. The These steps outline an approach to applying the GAIT principles to a business audit, which will identify the critical IT risks related to particular business objectives. 1. Identify the business objectives for which the controls are to be assessed. 2. Identify the key controls within business processes required to provide reasonable assurance that the business objectives will be achieved. 3. Identify the critical IT functionality relied on from among the key business controls. 4. Identify the significant applications where IT general controls need to be tested. 5. Identify IT general control process risks and related control objectives. 6. Identify the IT general control to test that it meets the control objectives. 7. Perform a holistic review of all key controls to ensure that considerations have been balanced between those controls that rely on IT and those that do not. 8. Determine the scope of the review and build an appropriate design and effectiveness testing program. The GAIT-R approach focuses internal audit effort where it is most needed, resulting in higher quality IT audits and making the internal auditor s role more valuable from a strategic planning perspective. immediate availability of information and lose confidence and interest when it s not available when they need it. As such, system availability controls and risks should be given audit priority to minimize the risk of key control failures. This approach focuses internal audit effort where it is most needed, resulting in higher quality IT audits. Internal auditors, and by extension the organization as a whole, also benefit from a better understanding of how particular IT processes and controls are designed to mitigate risk and contribute to the achievement of business objectives, making the role of internal auditors more valuable from a strategic planning perspective. RISK-BASED AUDITING Instead of focusing on specific controls, GAIT-R uses a top-down, risk-based approach written primarily for internal auditors. The methodology identifies risks, not specific controls, within IT business processes where a control or security failure could adversely affect the achievement of specific goals of an organization. The approach assumes that IT risk is most important when it relates to the potential failure of a key business process or objective. Once key IT controls are identified, GAIT-R uses structured reasoning to focus on those controls across the enterprise that are essential to achieving business goals and objectives. Used correctly, this filtering process streamlines the IT audit scope, minimizing resources spent on IT risks that are not critical to business objectives. Scoping IT audits using GAIT-R further refines the IT scope by adding a Internal Auditor june 2011

the relevant it audit relevant business filter. Traditionally, many auditors have viewed technology risk assessments in a silo, focusing audits on IT department objectives in a review of applications, technical infrastructure, IT processes, and IT projects across the organization. This traditional approach focuses on the effectiveness of technology against IT objectives rather than the supporting role of technology in achieving the goals of the business. GAIT-R takes the scoping process one step further by tying IT objectives to business objectives before taking a top-down approach. The refined scope on information systems that provide up-to-the-minute status of order processing and shipment tracking. The processes and applications are designed to achieve the goal of real-time and reliable customer support. If these systems are not available, the lack of timely information could impact customer satisfaction. If there is a goal of immediate shipping of in-stock inventory and the customerfacing system indicates that an item is in stock, but that system is out of sync with the warehouse and shipping systems, the order placed by the customer may not trigger the shipment of the item. The order on the trucks, and are rolling out of the warehouse by 7 a.m. the next day. The highly competitive restaurant supply business is reliant on processing accurate, complete, and timely orders. Therefore, the audit team should identify key risks in the process and understand how the company guarantees changes to this application are accurate and completely tested before being placed into operations. The IT assessment should include audits of all system applications and processes that affect key risk areas and contribute to the critical business objectives of on-time, accurate deliveries. Traditionally, many auditors have viewed technology risk assessments in a silo, focusing audits on IT department objectives in a review of applications, technical infrastructure, IT processes, and IT projects. should identify how technology is being used to enable business processes within the organization. As a result, audits of data security that use the GAIT-R methodology might focus on protecting the information assets that are required to support critical business operations, securing intellectual or proprietary property (such as the formula for a new product), and identifying where the damage to, or loss of, data could represent an immediate liability to the business as a whole. customer is likely to be upset and lose faith in the company. Identify the critical IT functionality relied on from among the key business controls For example, a food distributor that provides daily delivery of fresh produce and meats to upscale restaurants uses an automated pick-and-pack application. Orders for next day delivery must be placed by 10 p.m. through an online order system to ensure goods are sourced, sorted by restaurant, packed in the correct Identify the significant applications where IT general controls need to be tested In the restaurant supply example, audits should be tied directly to the achievement of key business goals. In the example, there most likely are several audits that would be associated with the business objective of achieving on-time, accurate deliveries. Based on the size and complexity of the systems, these audits would include change management over significant applications focusing specifically on the completeness of the testing before programs are moved into production. A complete analysis of the overall process also may identify IT infrastructure components critical to the achievement of the delivery goals. Identify IT general control process risks and related control objectives Key business-related risks could include: availability of the systems, consistency and accuracy of processing, ease of use and accuracy of customer-facing websites for entering orders or scheduling service, APPLYING THE METHODOLOGY The GAIT-R methodology covers the risk assessment and control identification process in eight steps, starting with understanding the business objectives for which controls are to be assessed and ending with a defined scope of work. The most significant and differentiating steps, with practical applications for clarification purposes, are summarized as follows (for the complete list of steps see GAIT Methodology Steps on page 58). Identify the business objectives for which the controls are to be assessed For example, an online retailer relies Top-down, Risk-based Principles The GAIT-R principles outline the overall approach to scoping IT audit work so that IT work addresses the most critical IT issues from a business objective standpoint. These principles will guide a user to the critical IT functions and will provide a business context to the IT audit work. Principle 1: The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business. Principle 2: Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls required to manage or mitigate business risk. Principle 3: Business risks are mitigated by a combination of manual and automated key controls. Principle 4: IT general controls may be relied on to provide assurance of the continued and appropriate operation of automated key controls. 59

the relevant it audit use of company systems by vendors or other outside users, and reliance on and enablement of applications and other technologies. For example, a manufacturing plant uses an automatic reorder system to order key production parts. If the reorder system fails and key parts are not available as needed, production could come to a halt. The technology risk of this failure would be felt throughout the organization in a monthly sales drop and failure to meet existing production commitments. By identifying this risk up front in an IT audit, the company can test appropriate controls for success and identify a backup alternative supplier before the need is critical. Determine the scope of the review and build an appropriate design and effectiveness testing program A critical step in the application of the GAIT-R methodology is the identification of those key/critical controls related specifically to the identified business process and the related risks/controls to achieving the objective. Using the same example goal of accurate and on-time delivery, practical application focuses on the program change control audit. In the overall change control process there are several steps that are critical to an efficient and effective method, but are less critical to the objective if only fully tested and evaluated changes should be promoted into production. For example, the accuracy and completeness of the user change request process is not specifically relevant to ensuring the changed code is accurate. However, if the audit is designed to evaluate the efficiency and effectiveness of the change process overall, these steps would need to be evaluated. A STRONG BUSINESS CASE Although GAIT-R changes the IT focus and selection of controls targeted in an IT audit, the top-down, risk-based approach ensures a more effective audit scope, lowers cost in the long run, and improves the strategic overview. In addition, aligning IT risks with business goals puts IT audit findings in a business context that is more easily understood outside of IT circles. For example, audit findings from an assessment of the availability of customer service applications and the infrastructure that supports the achievement of superior customer service can help management understand what puts this goal at risk and make adjustments before IT issues impact it. Adopting GAIT-R takes up-front time, effort, and resources. Some internal auditors may question whether they have the skills and knowledge necessary to implement the methodology. The higher quality audits that result from focusing on true business risks, not just technology risks, should be justification enough for moving to this approach. Making the change to a GAIT-R approach to IT audits also is beneficial for internal auditors themselves. With GAIT-R, internal auditors become the interface between management and IT specialists, breaking through technology jargon to give the organization s leaders the information they need to understand the strategic implications of IT risk. To comment on this article, email the author at edward.hill@theiia.org. Results that are Vital to Corporate Stakeholders Require Sharpe Decisions Sharpe Decisions Executive Workshop Sharpe Decisions Voting Systems Sharpe Decisions inc. www.sharpedecisions.com For more information, visit our Web site or email us at info@sharpedecisions.com. Helping you balance your risk Effective risk management is key to the success of your business. More and more companies view risk management as an area of strategic importance. Professional risk management advice and effective assurance mechanisms can deliver competitive advantage and enhance value to your stakeholders. RSM member firms have a comprehensive range of services designed to bring a new perspective to your organisation and define clear risk strategies. Meet partners from RSM International member firms at the International Conference, 10-13 July 2011 in Kuala Lumpur. RSM International is the brand used by a network of independent accounting and consulting firms. Each member of the network is a legally separate and independent firm. The brand is owned by RSM International Association. The network is managed by RSM International Limited, neither of which provide accounting or consulting services. The network using the brand RSM International is not itself a separate legal entity of any description in any jurisdiction. Intellectual property rights used by members of the network including the trademark RSM International are owned by RSM International Association, an association governed by articles 60 et seq of the Civil Code of Switzerland whose seat is in Zug. RSM International Association, 2011 61

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information