Presentation is loading. Please wait.

Presentation is loading. Please wait.

The IIA’s Authoritative Guidance

Published byAmia Blair Modified over 10 years ago

Similar presentations

Presentation on theme: "The IIA’s Authoritative Guidance"— Presentation transcript:

1 The IIA’s Authoritative Guidance
Practical Implications The IPPF & the professional practice of internal auditing

2 Scope & Structural Changes
PPF Organizes all IIA guidance IPPF Organizes The IIA’s authoritative guidance ELEMENTS Definition Code of Ethics International Standards Practice Advisories Development and Practice Aids ELEMENTS Definition Code of Ethics International Standards Practice Advisories Position Papers Practice Guides The new framework is the result of recommendations made by the Vision for the Future task force. In 1998, The Institute of Internal Auditors (IIA) formed a first Vision for the Future task force to assess whether gaps existed between the evolving internal audit practice and the Standards, and to identify whether the processes of standards-setting and guidance development used at that time could be improved. The new definition of internal auditing evolved from the work of this task force, along with the Professional Practices Framework (PPF), which included the “red book.” From , The IIA promulgated this guidance. In late 2005, The IIA’s Executive Committee commissioned an international steering committee and task force to review the PPF, and more specifically, The IIA’s guidance structure and related processes. This second Vision for the Future task force’s efforts focused on reviewing the scope of the framework and increasing the transparency and flexibility of IIA guidance development, review, and issuance processes. The results culminated in reengineered guidance development processes, a new International Professional Practices Framework (IPPF), and a Professional Practices Council (PPC) The PPC’s role is to set priorities for the issuance of guidance, coordinate IPPF processes and disseminate information related to its oversight activities to The IIA’s Board of Directors, various IIA international committees and staff involved with the IPPF, and internal audit stakeholders. Although the first Vision for the Future task force reviewed both content and structure, the second task force focused on enhancing the guidance structure and development processes. This process enhancement was critical for The IIA in the development of the new IPPF. It ensured simplicity and flexibility that would facilitate guidance development for internal audit practitioners for years to come, without requiring framework changes along the way. The enhancement also supports The IIA’s international stature, by demonstrating that it is following due process when developing technical guidance. This helps position The Insitute as a recognized and endorsed international standard-setting body for the internal audit profession. REMOVED ADDED

3 Contextual Changes PPF IPPF REMOVED ADDED ELEMENTS Definition
Code of Ethics International Standards Practice Advisories Development and Practice Aids ELEMENTS No change Definition No change Code of Ethics Some changes International Standards Some changes Practice Advisories Position Papers REMOVED ADDED However, as the PPF was retooled into the IPPF, the opportunity was taken to make some content changes. Together with a structure changes, most of the content changes to existing PPF material are concentrated in the area of the standards and practice advisories. Position papers and Practices guides have been added. The details of those changes are developed in the rest of the presentation. Practice Guides

4 AUTHORITATIVE GUIDANCE
IPPF The International Professional Practices Framework organizes The IIA’s authoritative guidance AUTHORITATIVE GUIDANCE Mandatory Non mandatory Strongly recommended A very critical aspect of the difference between the two frameworks is the change in scope from everything published or issued by The IIA in the PPF, to AUTHORITATIVE GUIDANCE in the IPPF. Authoritative guidance has been developed following strict due process by globally composed technical committees of The IIA under the oversight of the Professional Practices Council Chair. The committees and boards reporting to the Professional Practices Council are the Internal Audit Standards Board, the Professional Issues Committee, the Advanced Technology Committee, the Board of Regents, the Committee on Quality, and the Ethics Committee. Authoritative guidance comprises: Mandatory guidance - Compliance is required and the guidance is developed following due process, including public exposure. Compliance with the principles set forth in mandatory guidance is essential for the professional practice of internal auditing. Strongly Recommended guidance - Compliance is strongly recommended and the guidance is endorsed by The IIA through formal review and approval process. It describes effective of the Code of Ethics and the Standards.

5 IPPF Definition Elements Practice Guides Practice Advisories
Position Papers International Standards Code of Ethics Detailed guidance for conducting internal audit activities. Includes detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables. Address approach, methodology and considerations, but NOT detailed processes and procedures. Concise and timely guidance to assist internal auditors in applying Code of Ethics and Standards and promoting good practices. Includes practices relating to: international, country, or industry specific issues; specific types of engagements; and legal or regulatory issues. IIA statement to assist a wide range of interested parties, including those not in internal auditing profession, in understanding significant governance, risk or control issues and delineating related roles and responsibilities of internal auditing. Mandatory requirements consisting of: Statements of basic requirements for professional practice of internal auditing and for evaluating the effectiveness of its performance, which are internationally applicable at organizational and individual levels. Principle-focused and provide a framework for performing and promoting internal auditing. Includes Attribute, Performance and Implementation Standards. Interpretations, which clarify terms or concepts within the Statements. Consider both Statements and Interpretations to understand and apply correctly. Statement of principles and expectations governing behavior of individuals and organizations in the conduct of internal auditing. Description of minimum requirements for conduct. Describes behavioral expectations rather than specific activities. Statement of fundamental purpose, nature, and scope of internal auditing.

6 Definition of Internal Auditing
No Change Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The definition is unchanged. It draws attention to the importance of key words Independent and objective ASSURANCE: Internal auditors are primarily providing assurance on the effectiveness of Governance, risk and control processes. By doing so they already add value. The “adding value” is not limited to consulting activities. It is both ASSURANCE and CONSULTING which can add value and help improve organization’s operation (not consulting only)

7 Code of Ethics No Change Integrity Objectivity Confidentiality
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Objectivity Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. Confidentiality Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Competency Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.

8 Standards Semantic/Glossary New Standards Modifications
Some Changes Standards Semantic/Glossary New Standards Modifications Interpretations

9 Standards Terminology
Semantic New Standards Modifications Interpretations Terminology Previously, the word should was used throughout the Standards. The use of the word should represented a mandatory obligation. In the 2002 PPF Standards, the word should was used throughout. The definition in the glossary indicated that should represented a mandatory obligation. This was considered very confusing for several reasons: Why not use a word that directly depicts a mandatory requirement? Many countries translated the English should to must, because of the definition in the glossary. The word should was not necessarily understood as meaning must, by those who did not refer to the glossary.

10 Standards Semantic New Standards Modifications Interpretations The use of should has been replaced by must, with the exception of these five Standards: Standard 1010 Standard 2050 Standard 2130.A2; 2130.A3 Standard 2220.A2 The replacement of should with must does not represent a substantial change, but removes the confusion about what is considered to be a mandatory requirement. A limited number of references to should remain in the Standards, along with a revised definition in the Glossary: Use the word “should” where conformance is expected unless, when applying professional judgment, circumstances justify deviation. Standard 1010, 1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. Standard 2050 – Coordination The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. Standard 2130.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization. Standard 2130.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. Standard 2220.A2 – If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards. Ultimately, the Internal Audit Standards Board expects to remove all references to should from the Standards.

11 Standards New terms added to the glossary
Semantic New Standards Modifications Interpretations New terms added to the glossary Information technology control Information technology governance Technology-based audit techniques Risk appetite Significance Because of the addition of new Standards or rewording of some existing Standards, additions have been made to the Glossary. Three of these terms refer to the world of technology. Information technology control Information technology governance New Standard 2110.A2: Assessing information technology governance The term, technology-based audit techniques has replaced CAATs (computer assisted audit techniques) to reflect a broader scope and evolution of technology, as well as the support technology provides to internal auditors in conducting their activity. Risk appetite - In line with the definition spelled out in COSO’s ERM, risk appetite refers to the level of risk that an organization is willing to accept. Planning Interpretation Risk Management Interpretation The Internal Audit Standards Board wanted to clarify the meaning of the word significance as its interpretation can be widely variable; and to differentiate it from materiality. Significance: The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors — such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives.

12 Six New Standards ATTRIBUTE STANDARDS 1010 1111 PERFORMANCE STANDARDS
Semantic New Standards Modifications Interpretations ATTRIBUTE STANDARDS 1010 Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the internal audit charter 1111 Direct interaction with the board of directors PERFORMANCE STANDARDS 2110.A2 Assessing information technology governance 2120.A2 Evaluation of the risk of fraud 2120.C3 Limitation of the internal auditors’ role with the risk management scope 2430 Use of “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing” The introduction of six new Standards is not a direct result of retooling the PPF to become the IPPF. The IASB never stops identifying gaps or revising the Standards. Some of the revisions were ready when it was time to retool the PPF. For the sake of efficiency, the IASB exposed the new Standards in conjunction with the IPPF exposure. ATTRIBUTE STANDARDS Standards 1010 and 1111 are very important additions to the Standards. 1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. This Standard is designed to elevate the awareness of IIA guidance by stating the internal audit activity’s accountability to that guidance in its charter. This helps internal auditors ensure that senior management and the audit committee are aware of their commitment to the IPPF. Standard 1010 offers a wide latitude of possibilities in terms of the reporting relationships of the internal audit activity 1111 – Direct Interaction with the Board The chief audit executive must communicate and interact directly with the board. Regardless of the organizational configuration of an internal audit department, organizational independence requires at least the possibility of direct interaction with the board. A board is an organization’s governing body — such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee — to whom the chief audit executive may functionally report. Standard 1111 was added to clarify the minimum requirements of interaction with the oversight body of an organization. PERFORMANCE STANDARDS Three implementation Standards and one generic Standard have been added. Inclusion of a specific focus on information technology governance when considering assessing governance processes. Recognizing IT as being critical to the infrastructure and information flow of any information, the IASB wanted to draw the attention of the internal auditors specifically on IT governance. 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives. Fraud is another specific topic where attention is being drawn. Although the views of the IIA have notchange regarding the role of internal auditors on the topic of fraud – Internal auditors are not Fraud investigator specialists – IASB felt that it was important, in the wake of continuous scandals, around the world – to indicate more clearly the specific role of internal auditing having to evaluate the fraud risk and management fraud risk management dispositions. 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. In 2006, The IIA released a Position Paper on The Role of Internal Auditing in Enterprise Risk Management. Among the objectives for the paper was the identification of ERM activities that, if performed by the internal auditors, could impair their independence. Those limitations are now included in the Standards. 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. The 1300 series provides the requirement for assessing and maintaining quality of the internal audit activity and generically states the conditions for claiming conformance with the Standards Standard 1321– Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. Additional guidance is provided on how to use the conformance statement when reporting on specific internal audit engagements. 2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing” Internal auditors may report that their engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing,” only if the results of the Quality Assurance and Improvement Program support the statement. It is very important to understand the underlying ethical implications of using/claiming inappropriately conformance with the Standards. Obviously, if an audit activity is going through its Quality Assurance and Improvement Program diligently and the results are positive – there is no issue. Issues may arise if an audit activity is not conducting quality assessments or if a QA has been conducted and the results are negative. The issue is not about non-conformance per se, but in the disclosure of the information and the use of the disclaimer in that regard. The IIA would discipline members and CIAs whose report claims usage and/or conformance with the mandatory guidance of The IIA if, in fact, that claim is not supported by due evidence — in particular, a effective Quality Assurance and Improvement Program . A CAE, who states in the internal audit charter the mandatory nature of the Definition, Code of Ethics, and Standards, operates using this guidance, undergoes a QA that evidences conformance, and claims to be in conformance, behaves ethically. A CAE, who states in the internal audit charter the mandatory nature of the Definition, Code of Ethics, and Standards, operates using this guidance, undergoes a QA concluding that non-conformance exists, discloses the non-conformance to senior management and the board, and does not claim to be in conformance until conformance is reached, behaves ethically. A CAE, who state in the internal audit charter the mandatory nature of the Definition, the Code of Ethics, and the Standards, operates using this guidance, undergoes a QA concluding that non-conformance exists, but intentionally does not disclose the non- conformance to senior management and the board, and claims to be in conformance, does not behave ethically.

13 Standards Other modifications
Semantic New Standards Modifications Interpretations Other modifications Improved some Standards by enhancing understanding, while preserving the original meaning. For example, the 1300 series has been reworded for enhanced clarity. Made numbering changes to the 2110, 2120, and 2130 series to reflect better logic of the relationships among the topics: 2110: Governance (previously, 2130) 2120: Risk (previously, 2110) 2130: Control (previously, 2120) Some existing Standards have been reworded for clarity, but the original meaning or intent of those Standards has not been altered. Many of the changes are editorial in nature with better grammar and sentence structure, but no practical implications. Originally, the numbering of the Standards covering risk, control, and governance was displayed in the order as mentioned in the Definition of Internal Auditing; i.e., Risk – 2110; Control – 2120; and Governance – While the definition has not changed, the order of these three topics in the Standards was altered to better signify the actual relationships among the concepts: Governance leads to risk management, which leads to internal control.

14 Standards Semantic New Standards Modifications Interpretations Interpretations to clarify concepts within a particular statement have been added to the mandatory guidance. Nine for Attribute Standards Ten for Performance Standards Interpretations have been added to the Standards where concept clarification — beyond glossary definitions — was needed. An integral part of the Standards, interpretations carry the same weight as the Standards.

15 Interpretation Example:
1320 – Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the Quality Assurance and Improvement Program to senior management and the board. Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewer’s or review team’s assessment with respect to the degree of conformance. This is an example of a Standard with an interpretation. The interpretation enhances the understanding of the concept, “communication of results” displayed in the Standards by clarifying: How What And frequency

16 Practice Advisories (PAs)
Significant clean-up, leading to a reduction of the number of Practice Advisories from 83 to 42. Practices Advisories have been re-written to achieve: Conciseness. Describe a method, an approach or consideration to assist internal auditors in applying a specific Standard or requirement of the Code of Ethics. The old Practice Advisories used the same language as the Standards and included the word “should.” Many practitioners viewed PAs as Standards, and considered them to be mandatory. PA style was varied, and not all PAs properly supported existing Standards. A massive clean-up was done on the Practice Advisories to remove confusion and align them with their definition. It is very important to remember that although PA’s are AUTHORITATIVE, they are strongly recommended, NOT MANDATORY.

17 New Practice Advisories Example

18 PAs related to Attribute Standards
1000-1: Internal Audit Charter 1110-1: Organizational Independence 1111-1: Board Interaction 1120-1: Individual Objectivity 1130-1: Impairments to Independence or Objectivity 1130.A1-1: Assessing Operations for Which Internal Auditors were Previously Responsible 1130.A2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions 1200-1: Proficiency and Due Professional Care 1210-1: Proficiency 1210.A1-1: Obtaining Services to Support or Complement the Internal Audit Activity 1220-1: Due Professional Care 1230-1: Continuing Professional Development 1300-1: Quality Assurance and Improvement Program 1310-1: Requirements of the Quality Assurance and Improvement Program 1311-1: Internal Assessments 1312-1: External Assessments 1312-2: External Assessment - Self Assessment with Independent Validation 1321-1: Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

19 PAs related to Performance Standards
2010-1: Linking the Audit Plan to Risk and Exposures 2020-1: Communication and Approval 2030-1: Resource Management 2040-1: Policies and Procedures 2050-1: Coordination 2060-1: Reporting to Senior Management and the Board 2120-1: Assessing the Adequacy of Risk Management Processes 2130-1: Assessing the Adequacy of Control Processes 2130.A1-1: Information Reliability and Integrity 2130.A1-2: Evaluating An Organization's Privacy Framework 2200-1: Engagement Planning 2210-1: Engagement Objectives 2210.A1-1: Risk Assessment in Engagement Planning 2230-1: Engagement Resource Allocation 2240-1: Engagement Work Program 2330-1: Documenting Information 2330.A1-1: Control of Engagement Records 2330.A2-1: Retention of Records 2340-1: Engagement Supervision 2410-1: Communication Criteria Quality of Communications 2440-1: Disseminating Results 2500-1: Monitoring Progress 2500.A1-1: Follow-up Process

20 Position Papers Two Position Papers have been added to the IPPF:
The Role of Internal Auditing in Enterprise Risk Management The Role on Internal Auditing in Resourcing the Internal Audit Activity A specific addition to The IIA’s authoritative guidance is POSITION PAPERS. Position Papers are IIA statements that delineate related roles and responsibilities of internal auditing. They assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues. An interesting feature of Position Papers is that they examine an issue impacting internal auditing in a wider context, clarify the roles and responsibilities of others, and explore the internal auditors’ relationships with those players. Position Papers are useful not just for internal auditors, but also to help others — in particular, senior management and the board others — to understand certain issues.

21 Practice Guides 11 Global Technology Audit Guides (GTAG)
Guide on the assessment of IT Risk (GAIT) Additional Practice Guides will be issued regularly Practices Guides are detailed guidance for conducting internal audit activities. It Includes detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, including examples of deliverables. At this early stage of the IPPF, all the existing GTAG and the GAIT methodology have been retooled in Practices guides. It does not mean that practice guide will be systematically technology oriented. Overtime, practice guides touching on any topics in the standards can and will be developed. The next 10 slides provides an overview of the content of the existing guides.

22 GTAG-1 Information Technology Controls
Understanding IT controls Importance of IT controls Organizational roles and responsibilities for ensuring IT controls Analyzing risks Monitoring techniques IT control assessment

23 GTAG-2 Change and Patch Management Controls: Critical for Organizational Success
Why IT change and patch management controls are foundational to a healthy IT environment How IT change and patch management controls help manage IT risks and costs What works and doesn’t work in practice Sources of change and the likely impact on business objectives

24 GTAG -3 Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
Role of continuous auditing in today’s internal audit environment Relationships among continuous auditing, continuous monitoring, and continuous assurance The application and implementation of continuous auditing Benefits of a continuous, integrated approach

25 GTAG-4 Management of IT Auditing
Defining IT IT-related Risks Defining IT Audit Universe Executing IT Auditing Managing IT Auditing Emerging Issues

26 GTAG-5 Managing and Auditing Privacy Risks
What is Privacy Privacy Principles and Frameworks Privacy Impacts and Risk Model Privacy Controls Good and Bad Performers Internal Auditing's Role Auditing Privacy CAE's Top 10 Privacy Questions

27 GTAG-6 Managing and Auditing IT Vulnerabilities
Defining the vulnerability management lifecycle The scope of a vulnerability management audit Organizational maturity Metrics to measure vulnerability management practices Top 10 vulnerability management questions

28 GTAG-7 Information Technology Outsourcing
Choosing the right IT vendor What are the best ways to manage outsourcing contract agreements? What are the main outsourcing risks and how can you mitigate them? Key outsourcing control considerations from the standing points of both client operations and service provider operations Which is the most effective framework for establishing outsourcing controls?

29 GTAG -8 Auditing Application Controls
What is application control and what is the relationship between application control and general controls? Why rely on application controls? How do you scope a risk-based application control review? What are the steps to conduct an application controls review? A list of key application controls and a sample audit program

30 GTAG-9 Identity and Access Management
The process of managing who has access to what information Not only IT, but a cross-organizational process Internal auditor has a role. Key IAM concepts Risks associated with IAM process Detail guidance on how to audit the IAM process A sample checklist for auditors

31 GTAG-10 Business Continuity Management Restoring critical business processes after a disaster
Management support Risk assessment Business Impact analysis Business recovery and continuity strategy Disaster recovery for IT Awareness, training, and testing BCM program maintenance Crisis communication CAEs have been challenged to educate corporate executives on the risks, controls, costs, and benefits of adopting a BCM program. Although recent disasters around the world have motivated some corporate leaders to pay attention to BCM programs, the implementation of such programs is far from universal. The key challenge is engaging corporate executives to make BCM a priority. Although most executives are likely to agree that BCM is a good idea, many will struggle to find the budget necessary to fund the program as well as an executive sponsor who has the time to ensure its success. This guide will help the CAE communicate business continuity risk awareness and support management in its development and maintenance of a BCM program.

32 GTAG-11 Developing the IT Audit Plan
The audit plan is the weakest link… Understanding the organization and how IT supports it Defining and understanding the IT environment Using risk assessment to determine the IT audit universe Formalizing the annual IT audit plan Executing the steps necessary for developing the IT audit plan

33 Guide to the Assessment of IT Risk (GAIT)
GAIT Methodology – top-down risk-based scoping methodology GAIT for IT General Control Deficiency Assessment - help assess IT general controls deficiencies identified GAIT for Business and IT Risk – help identify critical aspects of IT processes What is GAIT?: Provides a methodology that both management and auditors can use in their identification of key controls within ITGC as part of and a continuation of their top-down and risk based scoping of key controls for ICFR. GAIT is a structured reasoning process that can be tailored to an organizations internal language, etc. The business process risks and related key controls identified by the top-down and risk-based approach are its starting point. Those risks to the financial statements are taken to the next level using GAIT analysis: identifying risks within IT business processes where a controls or security failure could lead to a controls The IIA released the GAIT Methodology, the first practice guide in its Guide to the Assessment of IT Risk (GAIT) series in January This document provides a methodology to help organizations identify the key IT general controls (ITGCs) needed for an efficient and effective scope of work for Section 404 of the U.S. Sarbanes-Oxley Act of 2002. In March 2008, the IIA followed with two new guides: GAIT for IT General Control Deficiency Assessment provides an approach for assessing any IT general controls deficiencies identified during the annual assessment of internal control over financial reporting. GAIT for Business and IT Risk focuses on identifying the critical aspects of IT processes that are essential to the management and mitigation of business risk.

34 Practice Guides In the pipeline:
Fraud Detection in an Automated World (2009) Auditing IT Projects (2009) Security Management: Audit Security Governance (2009) Entity Level IT Controls (2010) Auditing User Developed Applications (2010) Thies are the GTAG whose development as already been approved. Other guides will be developed on various other topics. The working plan of the Technical area of te IIA is available and accessible under the guidance page of the web site:

Download ppt "The IIA’s Authoritative Guidance"

Similar presentations

Requirements Engineering Processes – 2

Requirements Engineering Processes – 2
Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.

Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
1 2011 Yellow Book: Changes You Need to Know NASACT Training Webinar Marcia Buchanan May 4, 2011.

Yellow Book: Changes You Need to Know NASACT Training Webinar Marcia Buchanan May 4, 2011.
Organizational Governance

Organizational Governance
. . . key messages for CAEs, Senior Management and the Board

. . . key messages for CAEs, Senior Management and the Board
. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
Www.theiia.org External Quality Assessments Frequently Occurring Findings Observed by The IIA QA Teams.

External Quality Assessments Frequently Occurring Findings Observed by The IIA QA Teams.
Internal Audit Capability Model (IA-CM) for the Public Sector

Internal Audit Capability Model (IA-CM) for the Public Sector
The Managing Authority –Keystone of the Control System

The Managing Authority –Keystone of the Control System
Introduction to Auditing

Introduction to Auditing
Getting to Know Internal Auditing

Getting to Know Internal Auditing
Presenter: Beresford Riley, Government of

Presenter: Beresford Riley, Government of
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Environmental Management Systems Refresher

Environmental Management Systems Refresher
International Internal Audit Standards Board

International Internal Audit Standards Board
Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Milan Zoric, ETSI.

Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Milan Zoric, ETSI.
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Www.theiia.org Opinions for Individual IIA Standards 2009-2013.

Opinions for Individual IIA Standards
INTERNAL AUDITING for Institute of Chartered Accountants of India Bhilai Saturday, 19 th January 2008 by SUDHIR VARMA FCA; CIA(USA) B-57, New Rajinder.

INTERNAL AUDITING for Institute of Chartered Accountants of India Bhilai Saturday, 19 th January 2008 by SUDHIR VARMA FCA; CIA(USA) B-57, New Rajinder.

Similar presentations

Ads by Google