KnowledgeLeader provides best practice articles, tools, guides and other resources on information technology (IT) auditing. This page contains an alphabetized list of all of the resources and tools on IT audit that are available for download on KnowledgeLeader. The tools are provided in downloadable versions, so they can be customized for use in your organization.
#
2013 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations
In January 2013, healthcare provider organizations bid farewell to an era defined by uncertainty, in terms of internal systems, processes and procedures. The facets of compliance that previously consumed organizations and internal auditors are quickly being replaced by other facets of the law. As a result, most internal audit functions are being pushed to their limits thanks to high-level challenges bearing down on healthcare provider organizations and, by extension, chief audit executives (CAEs) and their teams. According to the healthcare internal audit executives and professionals who participated in the Internal Healthcare Auditing Professionals (AHIA) and Protiviti 2013 Internal Audit Capabilities and Needs Survey, internal audit functions within healthcare providers recognize a number of critical needs. In this report, we detail these critical needs in depth.
2015 IT Audit Benchmarking Survey
Are IT audit practices keeping pace in order to assess, monitor and mitigate critical risks coupled to a technology-enabled business? This is what ISACA and Protiviti set out to determine in conducting the fourth annual IT Audit Benchmarking Survey. In this report, we summarize the findings from ISACA and Protiviti’s fourth annual IT Audit Benchmarking Survey in the third quarter of 2014. This global survey, conducted online, consisted of a series of questions grouped into five categories: Today’s Top Technology Challenges; IT Audit in Relation to the Internal Audit Department; Assessing IT Risks; Audit Plan; Skills and Capabilities.
2015 IT Audit Benchmarking Survey: Key Takeaways
A closer look at some of the notable takeaways from Protiviti and ISACA's 5th Annual IT Audit Benchmarking Survey.
2016 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations
This report details the results of the 2016 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations, which provides a benchmark of current perceptions in the industry.
2015 IT Security and Privacy Survey
From the boardroom and C-suite to IT, legal, finance and more, every corner and function of the business appears intent on addressing cybersecurity issues aggressively. But are these intentions translating into effective policies and actions to secure the “crown jewels” of organizations?
2016 Predictive Analytics Survey
Protiviti conducted its Predictive Analytics Survey to learn more about the predictive analytics capabilities of organizations.
2016 Audit Committee Agenda Webinar Q & A (Part 1)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this article, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
A
A Decade of Increasing Collaboration and Risk Awareness at Old National Bank
Old National Bancorp is the largest financial services bank holding company headquartered in Indiana. The bank provides financial services primarily in Indiana, southeast Illinois, western Kentucky, and southwestern Michigan through 200 financial banking center locations. The internal audit function has undergone tremendous change at Old National in the past 15 years. In this profile, Dick Dubé, Chief Audit Executive and Ethics Officer, discusses the factors that led Old National to change its point of view on internal audit. Dubé brought internal audit trainers to coach the internal audit team on goals and methodologies tailored specifically to the bank. Because of the changes that have occurred over the past several years, the internal audit team is collaborating effectively with management, is aware of the bank’s risks, and is seen as a strategic partner to the business.
A Matter of Trust: Taking a Look at the CISA Controversy
The Global Leader of Protiviti’s IT Consulting Practice takes a look at the concerns surrounding the Cybersecurity Information Sharing Act (CISA), a proposed law that has spurred controversy in the United States and abroad.
Acceptable Use Policy: Sample 2
This policy establishes guidelines for the acceptable usage of a company's information resources and assets.
Access to Programs and Data Audit Work Program
The purpose of this work program—focused on access to programs and data—is to outline the IT general controls to be tested, review the results of management’s testing, and document the procedures to test each control. Document the procedures to be performed to conclude on the operating effectiveness of the controls identified, including a specific description of the nature, timing and extent of procedures to be performed. For all controls that are tested at an interim date, list the procedures performed to roll-forward the interim testing to period end.
Achieving High Performance in Internal Audit
For the past seven years, the Institute of Internal Auditors–Australia and Protiviti have conducted surveys of the internal audit profession and audit committee members in order to identify and benchmark trends and developments in the internal audit profession. Key themes emerging from this year’s research focus on quality assessment reviews, data analytics and developing high-order skills.
Active Directory Work Program: User Management/Administration, Access Request Procedures
This active directory audit work program focuses on the access request procedures within user management/administration. It includes questions on key controls, the goal state for production and the status of designed controls.
Active Directory Work Program: User Management/Administration, General
This active directory work program focuses on the general aspects of user management/administration.
Active Directory Work Program: User Management/Administration, Powerful User Rights
This active directory audit work program focuses on the powerful user rights aspect of user management/administration. It includes questions on key controls, the goal state for production, and the status of designed controls.
Active Directory Work Program: User Management/Administration, User ID Maintenance
This active directory audit work program includes questions on key controls, preferred controls, goal state for production, and intent and status of designed control.
Active Directory Work Program: User Management/Administration, User ID Termination
This active directory audit work program focuses on the user ID termination aspect of user management/administration. It includes questions on key controls, preferred controls, goal state for production, and intent and status of designed control.
Active Directory Audit Work Program: Infrastructure
This work program focuses on the general, platform configuration, and platform security areas of the infrastructure of an active directory.
Active Directory Audit Work Program: User Management/Administration, User ID Creation
The active directory work program focuses on the user ID creation aspect of user management/administration.
Agile Technology Controls for Startups: A Contradiction in Terms or a Real Opportunity?
This article explains how for many emerging startups, risk mitigation and internal controls can actually run counter to the company’s “DNA”—its inherently irreverent culture and competitive mindset.
Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry
Although the financial services industry continues to focus on transforming operations for the mobile era, with over 63 percent of companies undergoing a major Information Technology (IT) transformation, the alarming rise in malicious IT attacks has amplified the focus on cybersecurity. Sensitive financial information is among the most valuable and abundant cyber data there is, which explains why crafty and dangerous cyber predators worldwide are constantly threatening security vulnerabilities. In our recent Executive Perspectives on Top Risks for 2015 study, board members and C-suite executives identified cybersecurity as one of the top risks their organizations must address. In this report, we detail the key findings of our study. In addition to beefed up security, the financial services industry IT leaders we surveyed cited an increased and competing number of IT priorities they are juggling, including regulatory and compliance issues, big data planning, and standards and framework governance. Our survey also includes special sections addressing IT transformation as well as IT knowledge within the financial services industry. More than 1,000 respondents in our survey, primarily CIOs and IT directors, share this outlook and are consequently dedicating more IT hours, resources and mindshare to defending against cyber predator attacks this year. Areas of focus include virus/malware threat detection and eradication, security event monitoring, and incident response, containment, and recovery. Security and privacy are no longer just “significant priorities” for financial services firms; they’re the concern this year.
AML and Data Governance: How Well Do You KYD?
Do you know your data? Read this article to learn more about the five steps that lead to an effective data governance function.
An Integrated Approach to Managing Identity and Privileged Access Risk
This article outlines the Protiviti IAM Capability Model, which can be used to provide an understanding of an organization’s current IAM strengths and weaknesses.
Application Control Review RCM
This document outlines risks and controls common to the application control review process in a risk and control matrix (RCM) format.
Application Controls Audit Work Program
This application controls audit program applies when auditing financial end-user-developed spreadsheets and other applications.
Application Controls Audit Work Program: Sample 2
This audit work program focuses on the application controls necessary to support a business.
Application Security Review and Testing Audit Work Program
Application security involves checking the security controls of an application, not the operating system or device that hosts the application. This work program focuses on the security issues related to e-business applications.
AS400 Review Audit Work Program
This work program outlines steps for an AS400 review audit. It identifies major areas to investigate during a general or specific controls review in an AS400 installation as well as critical control validation tests to perform.
Assessing SharePoint Security: Are You Due for a Check-Up?
Microsoft’s SharePoint enterprise content management platform is everywhere, but only about one-third of companies have a SharePoint security plan in place. This article explains how a secure SharePoint environment is certainly possible and not too difficult to achieve.
Auditing Information Security: Are You Protected?
In this article, we describe the importance of ensuring that information security efforts have a positive effect on an organization and explain how internal auditors can help protect an organization from harm.
Auditing Network Security - Defining the Scope
This multi-part guide details the steps required to ensure that your network is secure. This second part of five provides more detail regarding determining what should be included in a review or audit.
Auditing Network Security – Securing a Network
This multi-part guide details the steps required to ensure that your network is secure. This first part discusses the overall approach to reviewing/auditing the existing security.
Auditing Technology Risk: It’s Priority 1 Through 10
This article addresses three questions about IT audit’s involvement in assessing IT risk.
Auditing IT Initiatives Is a Recommended Quality Practice
In this article, we outline the auditing of an IT initiative throughout the lifecycle of a project, concentrating particularly in the planning, development and/or software acquisition, testing and implementation stages.
B
Barclays’ Internal Audit Function Harnesses Data Visualization to Gain a Clear Picture of Business Risks
This performer profile details how Barclays’ internal audit function harnesses data visualization to gain a clear picture of its business risks.
Beyond HIPAA: Improving Cybersecurity for Healthcare Organizations
In this article, we stress the importance of healthcare leaders initiating risk discussions among their boards and the technology, medical and legal stakeholders within their organizations.
Big Data Analysis Guide
“Big data” is a general term used to describe the voluminous amount of unstructured and semi-structured data that would take too much time and cost too much money to load into a relational database for analysis. This 11-page guide highlights the future of big data and includes information on example vendors, trends, key risks and challenges that internal audit can help mitigate.
Big Data Initiatives: Minimizing Risk and Maximizing Value with Governance
Making the decision about when, whether, how much and how to invest in big data analytics initiatives can be a challenge.
Briefing the Board on IT Matters
In today’s environment, many businesses are actually technology businesses because their business models cannot function without technology. We often receive feedback from board members, stating they do not have a sufficient understanding of the IT risks facing their organizations. When directors are briefed on IT matters, do they fully understand the message? In this issue of Board Perspectives: Risk Oversight, we outline three contexts for conducting IT briefings with the board of directors. Each context provides directional insights for the chief information officer and the chief information security officer in organizing delivery of the briefing.
Building the Foundation for Data Analytics
Certain data management topics lend a more complete understanding to the subject of data analytics as derived knowledge and information, and these are addressed in this article.
Business Continuity Management RCM
This document outlines risks and controls common to the "business continuity management" process in a risk control matrix (RCM) format.
Business Continuity Management Audit Work Program: Sample 2
This audit work program assesses the effectiveness of an organization's business continuity management process.
C
Change Management Audit Work Program
This audit work program focuses on the technology change management process, specifically covering documentation, approvals, testing and migration to production.
Changing Trends in Internal Audit and Advanced Analytics
This report sheds light on how the largest financial services industry internal audit departments are progressing in their efforts to develop more advanced analytics capabilities.
Chemical Industry Compliance Requirements
According to a Symantec intelligence report, the chemical and pharmaceutical industry is the second-most targeted sector by directed online attacks. This guide focuses on the importance and variety of regulatory requirements in the chemical industry.
Clear and Present Danger: Cybersecurity Should Be a Top Priority
To avoid making 2015 synonymous to 2014 when it comes to cybersecurity issues, internal auditors must play an important role in securing the organization. That responsibility entails working closely with the board, executive management and functional leaders.
Cloud Adoption Putting Cloud at Heart of Business and IT Strategy
This white paper outlines how technology executives should leverage the cloud to address a number of business and technology objectives.
Cloud Computing Training Guide
This 25-page presentation serves as a guide to cloud computing, moving beyond the basic definition to cover related types of services, cloud computing trends, top risks, audit considerations and more.
Cloud Security: Keeping Data Safe in the “Boundaryless” World of Cloud Computing
As cloud service providers mature and expand and refine their offerings, it is increasingly difficult for many organizations not to at least consider moving certain functions to the cloud. Cost-reduction opportunities, scalability, flexibility and elasticity are just some of the potential benefits of such a move.
COBIT[]®[] Framework
Control Objectives for Information and Related Technology (COBIT) is a management tool for IT. It has been developed by ISACA as an accepted standard for good IT security and control practices. It is intended for use by management, IT auditors, and control and security practitioners. COBIT defines what needs to be done to implement an effective control structure.
Commercial Property Lease Application Audit Work Program
This audit program reviews an application that handles transactions related to leasing and renting commercial property. The Commercial Property Lease Application Review Audit Work Program lists project work steps pertaining to planning, fieldwork and communication. It explains in detail the procedures for reviewing an application that handles transactions related to leasing of commercial property.
Computer Operations/Job Scheduling Audit Work Program
This audit work program focuses on computer operations and IT job scheduling. Audit objectives and test steps help determine and review the role of computer operations within an organization, the responsibilities of the computer operations department, and ability to proactively manage computer operations.
Contract Review Audit Work Program
The objectives of this work program are to assess whether contracts are executed in accordance with agreed upon terms and to ensure that all contracts are valid and properly authorized and mitigate risk of loss.
Control Self-Assessment Physical Security
Self-assessment is a recognized best practice that has been applied to risks and controls for many years. This self-assessment questionnaire provides a starting point for a physical security assessment.
Core Competency: The Case for FSI IT Modernization
FSI respondents to Protiviti’s 2015 IT Priorities Survey identified some important catalysts driving them to replace core systems. In this article, we discuss the three main drivers: risk mitigation; cost savings; revenue generation.
COSO 2013 and the Implications to IT Controls
As organizations transition to COSO 2013 from the earlier 1992 version, adopters will find themselves taking a hard look at the updated framework’s 17 principles as well as their impact on IT controls.
Create IT Internal Controls as Unique as Your Startup
As the board and CFO know all too well, IT controls must become a top priority as a company matures and considers an IPO. To satisfy control and compliance requirements without disrupting the company’s culture of independence and innovation, we suggest that startups create their own IT general controls (ITGC).
Credit Card Data Purge Policy
This policy outlines a set of procedures for the credit card data purge process including specific purge procedures, a purge schedule, and related definitions.
Credit Card Information Handling Policy
Use this policy to ensure that credit and debit card information and other personal financial data is accessible by a limited number of authorized team members and maintained in accordance with applicable law.
Customer Credit Data Analytics Work Program
This eight-page work program utilizes data analytics to review the customer credit process.
Cybersecurity Capabilities
In this article, Jordan Reed, a managing director in Protiviti’s Houston office, answers questions related to cybersecurity and The IIA’s GAIT framework.
Cybersecurity Disclosures in Risk Factors
This article focuses on the industry-specific disclosure rates of cybersecurity risk factors for a select group of industries.
2014 IT Audit Benchmarking Survey
The results of our third annual IT Audit Benchmarking Survey show that organizations continue to leave themselves significant room for improvement in their IT audit programs and practices. To put it simply, a large percentage of organizations are not planning and instituting the IT audit coverage necessary to ensure an available, secure and efficient IT environment. In this report, we reveal the key findings from our IT Audit Benchmarking Survey. These findings and their implications should be considered as part of an organization’s annual audit plan.
Cybersecurity Audit Report
This audit report presents the results of vulnerability assessments and penetration testing performed on an organization’s external and internal facing environment.
Cybersecurity: What Are the Boardroom Implications?
What does safeguarding your assets really mean? Who is responsible for it? This article answers those questions and helps you determine how to protect your digital assets, ensure cybersecurity is appropriately considered, and decide what actions to take.
D
Data Analytics in Internal Audit: An Imperative That Can’t Wait
This article outlines a road map to help you develop and execute a methodology for integrating data analytics into your audit work.
Data Backup and Retention Policy
The following sample outlines a set of policies and procedures for data backup and retention including network server backups, tape backups and job scheduling.
Data Backup Policy
This policy provides standardized procedures for backing-up and maintaining computer files within an organization on a regular basis.
Data Breach Notification Memo
This memo's purpose is to notify an individual regarding the possibility of a personal information breach and explain the steps taken by a company to protect against identity theft or abuse of information.
Data Center Controls Questionnaire
This 45-page questionnaire covers thirteen aspects of mainframe data center general controls.
Data Center Review Audit Work Program
This audit work program evaluates access and environmental controls and provides recommendations for meaningful changes to an organization's data center.
Data Center Walkthrough Audit Work Program
This work program will help determine whether information resources are protected against unauthorized access and environmental hazards.
Data Conversion Compliance Questionnaire
This questionnaire provides an outline for reviewing documentation associated with a data conversion. Sections of the questionnaire include template review observations, documentation review observations, compliance recommendations, and compliance rating.
Data Conversion Process Flow
Data conversion is the conversion of computer data from one format to another. This process flow details the steps involved in the conversion of data from one application into another application.
Data Conversion Review Audit Work Program
The objective of this work program is to determine whether the appropriate project management controls are in place to ensure a successful and effective conversion of data from a legacy system to a new system.
Data Conversion Audit Work Program
This work program outlines steps for conducting a data conversion audit, specifically focusing on data extraction, transfer and accuracy.
Data Governance Questionnaire
Data governance is a wide set of management and technical disciplines designed to ensure than an institution has the right data available at the right time and that the data is accurate and in the correct format required to satisfy specific business needs. Putting data into the context of an institution's business needs requires understanding of the business definition of specific data elements, the way those elements are used within specific business processes across the enterprise, the individual systems or databases that house the elements, and any business roles or transformations that occur on the data. This requires complete knowledge of both business and technical metadata to provide a full view of the lineage and proper use of key data elements. An effective data governance program should provide the answers to each of these questions, and many more.
Data Governance Review Phase I Memo
This memo documents internal audit's summary of findings from a data governance review.
Data Integrity Risk Key Performance Indicators
Data integrity risk encompasses risks associated with the authorization, completeness and accuracy of business transactions as they are entered into, processed, summarized, and reported by the various network-enabled systems. This document outlines data integrity business risks and practices for dealing with such risks.
Data Output Controls Questionnaire
Data output controls are used to ensure the integrity of output, and the correct and timely distribution of output produced. This questionnaire helps auditors evaluate the adequacy of output controls to ensure that data processing results are reliable, output control totals are accurate, and reports are distributed in a timely manner.
Database Administration Audit Work Program
This audit work program provides steps for a database administration review.
Database Audit Program
This database audit work program covers the following applications: DB2, Oracle 8i, Oracle 9i, Oracle RDB7, Sybase, and Progress. The work program is in the form of an Excel workbook, with a separate spreadsheet covering each of the following areas: Security; Change Management; and Monitoring.
Define IT Strategy and Organization RCM
This document outlines risks and controls common to the “define IT strategy and organization” process in a risk control matrix (RCM) format.
Delegated Entity Review Memo
This memo focuses on IT SOX readiness procedures for an application, testing change management, computer operations and logical security areas.
Deploy and Maintain Solutions RCM
This document outlines risks and controls common to the "deploy and maintain solutions" process in a risk control matrix (RCM) format.
Designing NetSuite ERP Application Security: Leveraging Fastpath Assure Access Monitoring Solutions
Defining security requirements in the early phase of a NetSuite implementation can help ensure efficiency and achievement of a clean slate with regard to mitigation of security risks prior to go-live.
Desktop Management Audit Work Program
This document outlines steps to audit the process used to deploy software to desktop computers.
Devices Are Mobile—Is Your Security Policy on Board?
While many employees may find the BYOD trend convenient—and the applications and cloud services that come with those devices certainly enable this convenience—the security risks worry employers.
Disaster Recovery Plan Assessment Checklist for IT
This checklist serves as a guide for reviewing a disaster recovery plan. The focus of this review is on information technology continuity, recovery, and restoration.
Disaster Recovery Plan Review Audit Work Program
This audit work program reviews an organization’s disaster recovery plan, including the creation of the plan, evaluation of the risks covered, their impact on the business, and whether or not the plan provides for appropriate methods to recover from threats.
Distribution Center/Consigned Inventory Audit Work Program
The purpose of this work program is to provide the general steps used for an audit of a distribution center for consigned inventory, including reviewing the shipping and receiving processes and inventory cycle counts.
Do Not Call Registry Policy
This sample policy ensures that all rules and regulations related to telemarketing are complied with and nothing is done to impair the brand and image of the organization.
E
Electronic Signature (E-Sign) Audit Work Program
The objective of this work program is to assess documented policies and procedures, including business requirements documentation, to determine if the provisions of the Electronic Signatures Act (E-Sign Act) and Department of Education are adequately addressed. Based upon the documentation, review the implementation of electronic signatures in each of the in-scope applications and determine if the implementation meets the provisions outlined in Company ABC’s documentation.
Eliminating Technology Risk Blind Spots: Mastering Alignment to Business Outcomes
This white paper defines the nature of the technology risk management challenge for chief information officers, other IT executives, chief risk officers and operational risk executives in financial services organizations.
Emerging Trends in Financial Services IA Analytics: A Benchmarking Study Overview
For decades, internal audit (IA) departments at financial services industry (FSI) organizations have relied on data analytics to support their work. With the growing availability of data, the value of this practice has increased significantly.
Encryption Key Management Policy
This policy outlines procedures taken to create, rotate, and purge encryption keys used for securing credit card data within software applications.
End-User Computing Audit Work Program
This work program focuses on auditing end-user computing, specifically concentrating on identifying the IT controls to be tested, reviewing the results of management’s testing and documenting the procedures used to test each control.
Enhanced Telecom Operations Model (eTOM) Process Classification Scheme
This conceptual view of an example Enhanced Telecom Operation Model (eTOM) process classification scheme (PCS) addresses the major business process areas of strategy, infrastructure & product, operations and enterprise management, and just as importantly, the supporting functional process areas. Read this document to learn more about the fundamental knowledge of telecommunication customer needs and all functionalities necessary for the acquisition, enhancement and retention of a relationship with a customer.
Ensuring Technology Changes are Well-Managed
In this article, we will explore how to manage technology changes and how to formally introduce a change management program to an organization.
Enterprise Accounting System Post-Implementation Review Memo
This review focuses on the configurable application controls, application security, and segregation of duties for the accounts payable and general ledger modules.
Enterprise Assessment and Monitoring Procedures
The purpose of this document is to develop a consistent process for scheduling and managing IT security assessment processes. The general steps outlined provide a process for conducting various types of assessments, as well as guidelines for monitoring security compliance within the computer system and network environments.
Enterprise Information Security Policy
This policy establishes information security policies setting baseline criteria for access to, through, or from an organization’s communication networks. It is intended to set the information security criteria, means, methods and measures to protect the confidentiality, integrity and availability of information assets and communication networks.
Entity Level Internal Audit Methodology
The entity level business process audit methodology focuses on understanding and analyzing the business. This understanding is primarily used to identify the target processes and risks during the audit planning process. Tools are provided to help with each phase is the process.
Envisioning Intelligent Cities
With self-, surroundings-, and situation-aware technologies emerging and evolving, scores of context-sensitive services could be readily built and deployed to enhance human care, choice, convenience and comfort substantially.
Establishing an Internal Audit Function Request for Proposal
This sample request for proposal (RFP) is used to solicit services to establish an internal audit function. It discusses the standard information providers should include in their proposals.
External Access Risk Key Performance Indicators (KPIs)
This tool outlines the business risks associated with inappropriate access to systems, data or information and suggests best practices to counter these risks.
F
Factors to Consider When Selecting an AML Transaction Monitoring System
A well-designed transaction monitoring system is an important component of an effective anti-money laundering compliance program.
Financial Institution Security Audit Work Program
This work program is an aid to assess the quantity of risk and the effectiveness of a financial institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information, instilling accountability for actions taken on the institution’s systems.
Firewall Administration Policy
The purpose of this policy is to establish procedures and requirements to ensure the appropriate protection and continuous operation of a company’s firewall infrastructure.
Firewall Administration Audit Work Program
This work program provides general steps for a firewall administration audit, including documentation, logical access, configuration, operating systems logs, firewall tests, application logs, physical security and continuity of operations. Sample steps include: obtain network diagrams illustrating firewall connections and segmentation on the network; determine if the expectations/goals/strategies of the firewall have been identified and are sound; and ensure that logical access to the various components (routers, firewall software) of the firewall solution is appropriately restricted to the individuals with authorized need for such access.
Firewall Audit Work Program
This firewall audit program focuses on internet and firewall configuration security, internet and firewall configuration change management, network monitoring and intrusion detection, and firewall vulnerability assessment. The control objectives include: the connection to an external network, such as the Internet, is secured with an application gateway firewall and the firewall is properly configured to secure internet traffic; firewall change management procedures are appropriate to prevent incomplete, unintended or unauthorized changes to the PIX firewall and/or other critical network devices; network traffic is monitored to detect availability issues or security events; and the firewall is configured properly to prevent unauthorized security breaches.
First-in-the-Nation Regulation Proposed to Protect New York State from Growing Cyberthreats
This Flash Report outlines the new, long-anticipated cybersecurity regulation proposed by New York Governor Andrew Cuomo.
Focus on Healthcare: Top Priorities for Internal Auditors
In this article, we summarize the five key priority areas for healthcare IA functions this year that were identified in Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, a joint survey from Protiviti and the Association of Healthcare Internal Auditors (AHIA).
Fraud Prevention Process: Debit and Credit Card Transactions Audit Work Program
This audit work program identifies and evaluates the effectiveness of a debit and credit card service provider’s fraud prevention process. It views the reports utilized to monitor fraudulent activities involving debit and credit cards and system settings intended to identify potentially fraudulent transactions. For this audit, obtain the following documentation: organizational chart for the audited department; policies and procedures for the fraud department and any other departments involved in fraud prevention/detection via the system; a report of standard system settings including, if possible, a description of the setting; a list of reports generated via the system or utilized in the monitoring of fraudulent activities involving debit and credit cards including, if applicable, signature-based transactions; a copy of the latest report of the fraud department’s key performance measures.
From Cybersecurity to Collaboration
In this year’s Internal Audit Capabilities and Needs Survey, we’ve devoted a special section to the current state of cybersecurity. Our findings show that cybersecurity represents a major focus for internal audit programs, but it is far from the only pressing issue on internal audit’s plate.
FSI CBOK Study: Effective Assurance Alone Is No Guarantee of Internal Audit Success
The message of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study is clear: Assurance alone is no longer enough.
G
General Password Policy
The following sample outlines a policy for ensuring secure use of network passwords. This policy provides guidance regarding initial password setup, complexity, sharing, storage, and many other topics.
Global Cross Governance Council at General Mills Facilitates Collaboration and Supports a Shared Mission
General Mills’ products, which include Gold Medal flour, Pillsbury, Green Giant and Betty Crocker, have been household names for decades. The Global Internal Audit (GIA) team at General Mills’ primary purpose is to provide assurance to senior management and the board of directors that the company’s internal control over financial reporting, IT and business operations are operating efficiently. In this profile, Cathy Harris, VP of GIA, outlines the benefits to collaborating across the organization. GIA strives to add value through selective risk advisory projects, typically focused on emerging operational or strategic risks. GIA has a collaborative relationship with the company’s director of internal controls, who reports to the corporate controller and assumes a coordinating role for the company’s enterprise risk management steering committee. Harris is a member of that steering committee, which provides assurance that risks are effectively managed.
Guide to Internal Audit FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Internal Audit FAQ, which is designed to be a helpful and easy-to-access resource that internal audit professionals can refer to regularly in their jobs.
Guide to Internal Audit
The internal audit (IA) profession has undergone significant changes since the New York Stock Exchange (NYSE) issued its new listing standard requiring an IA function. Companies are far more likely to have in place highly developed IA functions that address not only the NYSE standards, but also the SEC’s interpretive guidance on Section 404 of the Sarbanes-Oxley (SOX) Act and PCAOB Auditing Standard No. 5 (AS5). These regulatory developments have had a significant impact on internal audit functions. This booklet is designed to be a resource for IA professionals can refer to regularly in their jobs. The publication offers detailed insights into everything from building an IA function to managing and improving the function as the organization evolves.
H
Healthcare Industry IT Risk Assessment Questionnaire
The purpose of this tool is to help a healthcare company perform an IT risk assessment. The risk assessment worksheets document IT components, IT processes and IT projects, and provide business process definitions. The assessment also allows the user to configure options, and rank all identified risks automatically.
Hot Topics in Cybersecurity: An IT Audit Perspective
In this article, we review the hot topics in cybersecurity. All organizations—regardless of size—should review and discuss the following points.
How Can Organizations Retain IT Personnel?
Empirical analysis with a survey of 217 IT professionals showed that an IT manager’s transformational leadership is positively associated with IT personnel’s intention to stay.
HR System Pre-Implementation Audit Work Program
This audit program focuses on testing human resources system controls during the pre-implementation phase.
I
Identity and Access Management – Best Practices Guide
Identity and access management is an ongoing and critical process that demands continuous management. This guide describes eight key best practices for an identity management system to ensure better security, efficiency and compliance.
Implementation Review Scoping Checklist
This checklist assists with the scoping of an application controls review and/or implementation review that covers both pre- and post-implementation procedures. The primary goal is to identify those areas that Internal Audit will focus on during the implementation.
Improving SharePoint Adoption With the Right Analytics
In this article we will discuss the importance in using analytics to look behind the curtain of suboptimal adoption.
Information Security for Systems
This article explains how, in the absence of the order provided through security architecture, organizations tend to implement various security technologies "helter-skelter," that is, ad hoc at best.
Information Security Policy Development Policy
This document provides an outline and framework for creating a set of policies and procedures focused on the organization’s security of information.
Information Technology Security Policy
This policy helps ensure that corporate IT resources are appropriately protected from destruction, alteration or unauthorized access and that these protections are accomplished in a manner consistent with business requirements.
Internal Audit and IT Collaboration Enables Aristocrat Leisure Limited to Take Command of Complex Information Security Challenges
Darani Brown, group risk and audit manager at Aristocrat Leisure Limited, outlines how the organization's internal audit and IT functions collaborate to take command of complex information security challenges.
Internal Audit at a Tipping Point and Ten-Year Trends
The tenth edition of Protiviti’s Internal Audit Capabilities and Needs Survey includes 10-year trend data to illustrate top priorities and how they have evolved, dating back to when Protiviti began conducting the survey in 2007.
Internal Audit at Bayer AG
Bayer AG is a German multinational chemical and pharmaceutical company with core competencies in healthcare, agriculture and high-tech polymer materials. Bayer AG operates as a strategic management holding company that defines the values, goals and strategies of the entire corporation, including its three primary businesses: Bayer HealthCare, Bayer CropScience and Bayer MaterialScience. In this profile, Dr. Rainer Schwarz, Head of Corporate Auditing, discusses his mission of becoming able to identify and fix problems before they materialize. Schwarz believes that in order to be positioned to know what might go wrong in the organization before it actually happens, the internal audit function needs to strengthen partnerships throughout the organization. The objective for the internal audit team is to become trusted advisers the business calls upon before making major, potentially high risk, decisions.
Internal Audit at HSBC Builds Credibility and Helps Influence Change from the “Top Table” Down
HSBC Holdings plc is a British multinational banking and financial services company headquartered in London. It’s the world's second largest bank. Internal audit functions across the globe, including at HSBC Holdings, must now not only evaluate and improve upon the effectiveness of risk management, control and governance processes, but also respond to enhanced expectations from stakeholders. In this profile, Manveen Pam Kaur, Head of Internal Audit, focuses on the growing pressure internal audit functions experience. Internal audit still has to be very good at what’s traditionally been required of the function - being a third line of defense. But now it must also support the sustainability of the franchise from a long-term perspective. Because of these expectations, today’s internal audit leaders need to ensure the right skill sets are in the function to make it more forward-looking and driven by outcomes.
Internal Audit Integrates Control Into Emerging Technologies at American Airlines Group
This performer profile shares how the American Airlines Group is strengthening data security by performing reviews that compare internal processes to frameworks, such as the NIST Cybersecurity Framework and AICPA’s Generally Accepted Privacy Principles.
Internal Audit Planning Memorandum
This internal audit planning memorandum documents the audit approach and administrative details for each audit.
Internal Audit Plays Leading Role in Promoting Cybersecurity Risk Awareness at Beam Suntory
In this profile, Luci Roberts, vice president of internal audit and Beam Suntory’s chief audit executive (CAE), discusses how a stronger focus on cybersecurity risk management might help focus the IT procurement discussions within the business on risk rather than on who controls the purse strings.
Internal Audit Priorities for 2014
Internal audit efforts must be risk-based and contribute to the long-term assurance needs of the organization and its board. A formal audit risk assessment should be completed at least annually and the results of that assessment should direct internal audit priorities. Fall is an excellent time to refocus one’s sights on the long-term horizon. Certainly, each organization will have different goals, objectives, issues and challenges; no single “standard” long-term internal audit plan will work. In this article, we outline 12 top priorities for internal audit departments to consider when evaluating their organizations’ internal audit efforts.
Internal Audit Risk Assessment Questionnaire
Internal audit performs this risk assessment to identify and prioritize key risks to best allocate the internal audit resources for the next year. This risk-based approach is focused on surveys/interviews of a cross-section of management personnel to solicit input from the potential customers of an internal audit function. The output from the surveys and interviews can be used to develop an audit plan that creates broad coverage through a blend of internal audits, control self-assessment and targeted external audit coverage.
Internal Audit Strategic Focus Questionnaire
This questionnaire explores internal audit’s strategic contributions and what management and boards should expect from audit going forward.
Internal Auditing Around the World: Volume 12
In our latest edition of Internal Auditing Around the World, we interviewed 22 inspiring female internal audit leaders who are devoted to evolving their departments through the use of technology.
Internal Auditing in a Culture of Avoidance
It's no secret that technology is frequently used to bring about harm rather than good. Yet many enterprises continue to allow technology to be implemented with weak controls and the absence of effective measures to detect when controls are breached. As a consequence, sensitive information is stolen or disclosed on a massive scale and it is virtually impossible to hold anyone accountable for the harm done.
Internal Auditors at Baidu Look to Data Analysis to Help Make Risk Assessments Less Subjective
Baidu operates Baidu.com, the most widely used Internet search engine in China. In addition to China, Baidu operates in Brazil, Egypt, Japan, Indonesia and Thailand. It offers more than 50 Internet and web search services, as well as the world’s largest user-generated Chinese-language encyclopedia. Internal auditors at Baidu are organized into three teams: traditional audits, IT audits, and construction audits. In this profile, Kevin Shi, Head of Internal Audit, Control and Compliance, talks about internal audit’s short-term and long-term goals. Short-term, its goals are to help Baidu balance risks and improve processes throughout the organization, so it can save costs and increase efficiency as the company grows. Long-term, internal audit looks to assume a more strategic role, providing consultation to the management team and helping to facilitate more informed business decision-making.
Internet and Email Acceptable Use Policy
This sample policy helps company employees optimize their use of the internet, protect confidential information, preserve and enhance the company's image, and minimize costs associated with internet usage.
Intranet and Internet Security Policy
This policy outlines guidelines for internet and intranet security within a company. It applies to all users who access the company’s computing or networking resources, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners and vendors.
Intranet and Internet Security Policy: Sample 2
This policy, a necessary part of an organization’s security strategy, outlines intranet and Internet security procedures for responding to new risks and threats.
Introduction to Information Technology (IT) Audit (KLplus CPE Course)
Information technology (IT) in today’s business environment has a direct impact on a company’s risk, and this relationship to risk should be an important driver in the internal audit process. IT performs or provides the information needed for many key controls in the business process, but it also brings inherent vulnerabilities.
Introduction to the Internal Audit Profession (KLplus CPE Course)
Internal auditing is an important and pragmatic process which can be of significant value to all commercial enterprises. This course serves as a roadmap to the understanding and efficient operation of the internal audit profession.
Introduction to the Internal Audit Profession (KLplus FREE Course)
This basic-level course explains the general purpose, role, and skills required of an internal auditor. The course explains the steps in an internal audit and the role of information technology in the audit process, as well as the roles of the audit committee and the benefits of internal audit functions to the audit committee.
IS Resource Management Internal Audit Review Report
This sample report focuses on how a company prioritizes information systems (IS) projects and manages IS resources.
ISO 27001 Information Security Assessment Report
This audit report focuses on a project baselining an organization’s information security practices, with the purpose of identifying opportunities to advance the information security function.
IT Application Management Audit Work Program
This sample IT application management audit work program is designed around key risk indicators of potential problems.
IT Asset Management Audit Work Program
These two sample work programs focus on the IT asset management process, specifically adequacy of controls, overall efficiency and effectiveness of processes, and compliance with policies and procedures.
IT Audit Benchmarking Webinar: David Brand and Robert Kress Answer Your Questions
Protiviti’s David Brand and Accenture’s Bob Kress answer questions received during the 2016 IT Audit Benchmarking Survey webinar.
IT Audit Learners Guide
This IT Internal Audit Learner's Guide provides students with an overview of what they must achieve and how they will be assessed. The guide helps determine whether they have achieved the required knowledge and core IT audit competencies.
IT Automated Controls Policy
This sample policy outlines the internal control testing processes and the testing frequency of automated controls at a company.
IT Capacity and Scalability Risk Questionnaire
Capacity, in the IT business environment, is defined as the measure of the sufficiency of the IT infrastructure to handle volume within performance objectives. Scalability is a related measure of an IT asset’s ability to rapidly and readily accommodate volume requests. This questionnaire outlines business risks and leading practices for both capacity and scalability.
IT Change Advisory Board Charter
In accordance with the company’s IT change management policy, the IT change advisory board reviews and approves technology changes scheduled for upcoming release dates. This charter establishes the IT change advisory board and outlines its scope, key roles and responsibilities, activity sequence, and meeting objectives. The IT change advisory board provides a structured framework for achieving the objectives of ensuring appropriate awareness of changes and change impacts (e.g., cost impact and schedule); assessing changes for potential conflicts, issues and resource management; and negotiating, authorizing, approving and informing the business of risks associated with the request for change. The IT change advisory board is responsible for review and approval of all requests for change from the company’s personnel, contractors and third-party vendors.
IT Change Management Policy
This policy outlines procedures for implementing a network/infrastructure change management process. The major change management activities include: network/infrastructure management area requests for changes; review, prioritization and approval of changes: development, testing, and update of records (migration); and emergency changes.
IT Change Management Policy: Sample 2
This policy defines standardized methods and processes for effective information technology (IT) change management at an organization in order to mitigate risk.
IT Change Management Process Flow
To regulate information technology (IT) changes from beginning to end, it’s important to have an IT change management process in place. This sample process flow walks through six steps in the IT change management process.
IT Change Management Audit Work Program
This audit program focuses on assessing controls that mitigate the risks inherent within IT change management processes.
IT Controls and Governance Guide
This guide highlights challenges that may disrupt an organization's IT governance and provides a roadmap for activating an effective IT governance framework.
IT Controls Best Practices, Part 1 - Generic
This is Part 1 of a document created to identify leading practices for auditing IT controls. The presentation includes process maps and defines risk objectives and control points for change management, security administration, operations and application controls.
IT Data Management Policy
This policy outlines procedures for implementing data management (backup and recovery) processes. The major activities included are file backup and recovery, tape backup and offsite storage, restoration testing, and production server jobs. In this example, all servers that contain unique information are backed up. A full backup of these servers is performed weekly, in addition to daily incremental. Backup logs are maintained for a period of seven years. Backup media for critical systems is temporarily stored onsite in the data center prior to being rotated to the offsite tape storage vendor. The backup tapes are being rotated to the vendor on a weekly basis. Tape retention is seven years.
IT Data Management Policy: Sample 2
The purpose of this policy is to ensure that the critical data stored in applications and on servers is frequently backed up, stored and secured offsite. This process allows for prompt recovery of important and critical company data in the event of accidental or intentional corruption, loss or destruction of data. In the event of any computer and/or business operation disruptions, this policy ensures that critical information systems processing functions can continue or be resumed promptly, that information processed and provided by these applications is complete and accurate, and that network server files and non-application data can be restored.
IT Data Management Audit Work Program
This document outlines steps to audit an organization’s data management process and includes a self-assessment questionnaire that gives the auditee an opportunity to inform internal audit about controls and processes employed.
IT Employee Termination Checklist
This checklist outlines steps to follow when an IT employee stops working for a company. It should be modified to reflect each organization’s employee termination process.
IT Enterprise Change Management Policy
The enterprise change management process provides the structure to consistently manage IT assets. This policy focuses on effectively mitigating the risks to system availability, integrity of data, and the interoperability of the organization’s information resources.
IT General Controls Design Assessment – Work Program
This work program evaluates the design of the IT general control environment, including infrastructure, applications, policies and procedures.
IT General Controls Questionnaire
IT general controls are critical and central to business processes. This excel-based template provides a number of COBIT areas and the related control objectives for each IT general control. You can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies. This questionnaire has been updated with areas defined in COBIT 4.1.
IT General Controls Scoping Questionnaire
This questionnaire has been designed to facilitate an assessment of existing controls to determine if they align with the IT Governance Institute (ITGI) control objectives. This questionnaire will allow the reviewer to determine which control objectives and illustrative controls are in-scope, and document which control objectives and illustrative controls are currently addressed with existing controls.
IT General Controls: Computer Operations Audit Work Program
This work program focuses on auditing computer operations. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
IT General Controls: Program Development Audit Work Program
This work program focuses on auditing the program development process. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
IT Governance Test Metrics Guide
This comprehensive guide provides various software test metrics across manual, performance, automatic and other common IT governance processes in an easy-to-navigate Excel spreadsheet format.
IT Help Desk Audit Work Program
This document outlines steps to audit an organization’s IT help desk process.
IT Operations Management Self-Assessment Questionnaire
This high-level self-assessment questionnaire can be used by an auditee prior to a review of IT operations management.
IT Operations Management Audit Work Program
This document outlines steps to audit an organization’s IT operations management process.
IT Organization Audit Work Program
This document outlines steps to perform an IT organization audit.
IT Organizational Assessment Report
This report focuses on assessing and improving IT processes. It provides an overview of methodology, business value drivers, recommendations and an improvement roadmap.
IT Organizational Planning Report
This sample report focuses on business strategy, anticipated growth, expected international expansion and present options to design a future-state IT organization and governance structure.
IT Performance Risk Key Performance Indicators
This tool focuses on business risks related to IT performance and performance measures and includes questions for risk evaluation.
IT Planning Questionnaire
Technology is permeating virtually every aspect of business today. The purpose of this questionnaire is to help organizations think about how they can develop a deeper knowledge of the IT infrastructure and processes in order to better understand both the current state and desired future state.
IT Platform Management Work Program
This document outlines steps to audit an organization’s IT platform management process.
IT Process Questionnaire: Change Management
The purpose of this IT process questionnaire is to ensure that all changes to IT resources and infrastructure configurations are carried out in a planned and authorized manner. It involves distinct processes both for managing change requests and also for deploying those changes throughout the enterprise.
IT Project Governance Work Program
This audit work program outlines steps for executing an IT project governance audit.
IT Risk Assessment Audit Report
This report outlines findings from a high-level IT risk assessment at a company.
IT Risk Assessment Questionnaire
This tool includes risk assessment questions for both IT management and executive IT management.
IT Risk Assessment: The Big Picture
Most, if not all, business transactions executed today touch the information technology (IT) environment at some point in their lifecycle. As organizations plan for the next calendar year, it’s logical to regard the IT risk assessment as a critical component that should be reviewed through the internal audit function.
IT Risks and Controls Review Report
The objective of this audit report is to reduce the volume of controls across applications, infrastructure and IT processes in order to improve consistency and focus on key risks.
IT Security and Privacy Survey Webinar Highlights
One in three organizations falls victim to a cyberattack. If your organization is not keeping pace with the threats, then you are falling behind.
IT Service-Level Agreement Questionnaire
The purpose of this interview questionnaire is to assess the IT processes, including the IT help desk, associated with a service-level agreement.
IT Steering Committee Guide
An IT steering committee is composed of senior IT management and business leaders meeting on a regular schedule to review, prioritize and resolve project issues with the aim of creating high-performing IT infrastructure. This guide provides an IT steering committee overview, including meeting structure, roles and responsibilities, and some key best practices.
IT Strategy Gap Assessment Report
Strategic alignment between business goals and drivers, and IT goals and initiatives is a critical area for most organizations. This report focuses on the gap assessment results of a company’s IT strategic plan.
IT Strategy Management Work Program
This document outlines steps to audit an organization’s IT infrastructure management strategy process.
IT Support Policy
This policy outlines procedures for providing company IT support to employees, including detailed steps for submitting a request to corporate IT, getting urgent help after normal business hours and escalating an issue if no response is received.
IT System Access and Re-Certification Policy
This sample This sample establishes the standards and procedures for maintaining proper system access security at a company.
IT System Development Life Cycle (SDLC) Methodology
The system development life cycle (SDLC) methodology promotes a controlled business environment where an orderly process takes place to minimize risk for implementing major new applications or changes to existing applications. The purpose of this policy is to clearly define the methodologies and processes for effective implementation of application development projects and significant application upgrades.
IT Vendor Management Audit Work Program
The objective of this audit work program is to evaluate the controls and processes required for conducting an IT vendor management audit.
It’s That Time of Year: The 2016 Audit Committee Agenda
Jim DeLoach recaps Protiviti’s ten Mandates for Audit Committees in 2016.
L
Leveraging Technology Helps Accenture’s Internal Auditors “Connect the Dots”
This Performer Profile highlights how Accenture is leveraging technology to spot emerging risks and identify valuable cost-savings opportunities throughout the business.
Linux Audit Checklist
This checklist is to be used to audit a Linux environment. It attempts to provide a generic set of controls to consider when auditing a Linux environment, and does not account for the differences between the different Linux distributions on the market (e.g. Red Hat, Caldera, Mandrake, etc.).
Looking Deeper Into Robotic Automation
This white paper offers considerations and case studies for robotic process and desktop automation.
M
Making Internal Audit a Value-Adding Contributor to Economic Recovery
The severity of the current global economic downturn has left organizations around the world searching for ways to contain costs, improve efficiencies, maintain customer satisfaction levels and protect their balance sheets. This unprecedented economic crisis has been nothing short of an urgent call to action for more robust risk management practices in organizations. Not only is it essential for internal audit to ensure that its activities are fully aligned with the expectations of the organization’s leadership, it is vital for the organization’s leaders to look to the internal audit function for the support they need. This issue of The Bulletin explores how internal audit can contribute to the organization as it recovers from crisis, and what management and boards of directors should expect of internal audit going forward.
Manage Security and Privacy RCM
This document outlines risks and controls common to the "manage security and privacy" process in a risk control matrix (RCM) format.
Manage Service RCM
This document outlines risks and controls common to the "manage service" process in a risk and control matrix (RCM) format.
Manage IT Assets RCM
This document outlines risks and controls common to the "manage IT assets" process in an RCM format.
Managing Cybersecurity Risk
In this issue of Board Perspectives: Risk Oversight, we present four considerations for managing cybersecurity risk.
Maximizing Opportunities in the SharePoint Environment: Conducting Assessments and Resolving Challenges
This white paper discusses how SharePoint, like any business-critical technology infrastructure, should be viewed as a “living” platform that needs to be monitored regularly to ensure optimal performance and reduce risk.
Minimum Testing Standards for Systems and Data Memo
This memo outlines minimum IT controls around user access, change control, backup, privacy, licenses and document retention.
Mining Internal Audit’s Capabilities and Needs
Audit executives from Protiviti and Wells Fargo reviewed the results of the 2013 Internal Audit Capabilities and Needs Survey in a recent webcast. In this article, we outline their discussion of the survey results.
Mobile Device Procurement Memo
This memo outlines an internal audit review of an organization's mobile device procurement process.
N
Network Access and Infrastructure Audit Work Program
This audit program outlines steps to test the effectiveness of an organization’s network access and infrastructure. The test steps focus on the organization’s related policies and procedures, review and follow up of prior audit recommendations, custom reports, segregation of duties, business continuity/disaster recovery, laws and regulations, general ledger, outsourced processes, and fraud consideration regarding the network infrastructure.
Network Infrastructure Audit Work Program
These two sample work programs provide general steps for an IT network infrastructure audit.
Network Audit Management Memo
This memo documents low-risk opportunities in the network infrastructure environment identified during an internal audit review and meant for management’s information and consideration only.
O
Oracle eBusiness Suite Policy
This sample policy outlines procedures for controlling access to and use of the Oracle eBusiness suite and database.
Oracle Security in the Cloud
This white paper outlines the steps to achieve a secure cloud system and avoid some common pitfalls in the process.
Order Management Process Audit Work Program
This work program provides key steps for a review of the order management process, including identification of performance metrics and computer-assisted auditing steps.
Oversight of IT Risk Management
Effective board risk oversight can contribute to strengthening the Information Technology (IT) organization so that it maximizes the value IT delivers. Deployment of technology to reduce costs, improve business processes and progressively drive revenue expansion is altering the way companies operate. Increasingly sophisticated user demands coupled with cloud computing, social networking, mobile technologies and other enabling trends are driving disruptive, transformational change in the technological landscape itself. How does this changing environment impact board risk oversight? In this issue of Board Perspectives: Risk Oversight, we make suggestions for boards to consider as they enhance their risk oversight as it relates to IT matters.
P
PCI Review Work Program
This work program covers a high-level PCI review. Objectives include the processing of PINs, cryptographic key creation, and secure key transmission, loading, and administration.
Physical Security for Information Technology Facilities Audit Work Program
The purpose of this work program is to provide the general steps used to perform an audit of physical security for IT facilities. This document gives specific questions related to risks such as unauthorized physical access, damaged cables and wiring, and power failures.
Physical Security Audit Work Program
This 45-page work program outlines physical security best practices for data centers and information processing/storage facilities.
Physician Contract Compliance Review Report
This report focuses on the effectiveness of a healthcare organization’s physician contracting and payment processes.
Portable Computing Device Security Policy
This sample policy establishes safeguards for the use of portable media and computing devices, including their connection to the company network.
Pre-Audit Readiness Report
This report focuses on an organization's pre-audit readiness and includes project scope, pre-audit key findings and a pre-audit assessment.
Preparing for the General Data Protection Regulation – The Clock Starts Ticking Now
This Flash Report details the final requirements of the European Union’s General Data Protection Regulation and what organizations will need to do to begin complying with them.
Pre-Year 1 SOX Roadmap – Audit Report
This report serves as a template for organizations to use when documenting business and IT processes for eventual Sarbanes-Oxley (SOX) compliance.
Privacy Controls Audit Work Program
This audit program provides steps for a privacy controls review, including verifying management direction and support for privacy controls.
Privacy: Our Next Organizational Challenge?
Even as information privacy and protection objectives grow more critical and complex, they are also increasingly subject to scrutiny by both internal and external auditors. This article explains how management and internal/external audit can get more involved in the process of protecting sensitive and personal data.
Product Development Audit Work Program
This sample product development audit program includes risk analysis, special and operational considerations, and evaluation components for an audit review.
Program Changes Audit Work Program
This audit program focuses on auditing program change controls. It concentrates on the IT general controls to be tested, reviews the results of management’s testing, and documents the procedures used to test each control.
Protiviti 2015 IA Capabilities and Needs Survey
This article summarizes the results of Protiviti’s 2015 Internal Audit Capabilities and Needs Survey.
Protiviti 2015 IT Priorities Survey
This article summarizes the results of Protiviti’s 2015 IT Priorities Survey.
Purchasing, A/P, Travel and Entertainment Audit Work Program
The purpose of this work program is to provide the general steps used to perform an audit of purchasing, A/P, travel and entertainment, including the use of data analytics.
Q
R
RACF Mainframe Controls Review Audit Work Program
This audit work program outlines detailed steps to review the controls for an RACF mainframe.
Request for Proposal – Systems Audit Work – Sample
This is an example of a relatively informal RFP for specialized systems audit outsourcing services to be coordinated by the Internal Audit Director.
Request for Proposal: Assess IA Coverage of Banking Subsidiaries
This sample request for proposal (RFP) is used to solicit services for an assessment of the current internal audit environment at banking subsidiaries and recommendations to strengthen coverage in order to meet inherent business risks and regulatory requirements.
Request for Proposal: Internal Audit Start-Up or Outsourcing
This sample request for proposal is used to solicit qualified services to help an organization start an internal audit function.
Request for Qualifications: IT Professional Services Qualified Vendor List
This is a sample request for qualified IT services to help create an IT vendor list for multiple year projects. The information requested in this document includes: description of work to be performed, service categories, procedures for obtaining services, and special contracting terms and conditions.
S
SAP Access Management Governance: Getting It Right, Making It Sustainable
In this article, we outline a comprehensive and efficient strategy to improve SAP access management and establish a structure for governance that standardizes the management process and helps minimize access control risks for the long term.
SAP Change Management Review – Internal Audit Report
This internal audit report provides a detailed analysis of a company’s SAP change management process based on the Software Engineering Institute Capability Maturity Model.
SAP HANA: Bringing Business Warehouse Home
SAP has released a new product called SAP HANA—a high-performance, in-memory data warehousing platform offered in addition to SAP BW. This new platform, combined with other upgraded HANA modeling capabilities, enables better integration and vastly improves performance.
Scope of Application Security Memo
This memo outlines the assumptions and decision criteria in scoping the documentation efforts around application security.
Security Administration Audit Work Program
The purpose of this work program is to determine whether company policy and the structure of the security administration function provide for adequate administration of logical security.
Security Assessment Report
This sample audit report discusses the key observations and recommendations of an enterprise security assessment for an organization’s external and internal IT infrastructure.
Security by Design at FIS
FIS is the world’s largest global provider dedicated to banking and payment technologies. With more than 55,000 worldwide employees, FIS empowers the financial world with payment processing and banking solutions, including software, services and technology outsourcing. In this type of business environment, where the data security stakes are so high, it is imperative for internal auditors to be viewed as valued and trusted business partners – and at FIS that is exactly the case. In this profile, Katy Thompson, Chief Audit Executive, believes that proficiency with data mining and analytics and building specific subject-matter expertise are key trends. Also important is developing truly deep knowledge of the industry, the organization and the external factors impacting the business. She identifies three essential goals for the FIS internal audit team: coverage, building skills, and data analytics.
Security Management Audit Work Program
This document outlines steps to audit an organization’s security management process.
Security of Data Policy (with UNIX Example)
The following sample outlines a set of policies and procedures for Security of Data (with UNIX Example).
Security Policy and Procedure Evaluation – Data Security
This report records the results of an evaluation of data security policies and procedures. This report format that can be used to communicate the status of company policies, and also to present recommendations for policy changes to management, including details of specific policy and procedure findings and gaps.
Security Policy and Procedure Evaluation – Software
This report format can be used to communicate the status of company software security policies and presents recommendations for policy changes and policy issues to management.
Security Policy Review Audit Work Program
The purpose of this work program is to determine whether the right security policies exist and determine if existing policies cover the necessary issues and are disseminated to the right people.
Segregation of Duties Review Report
This 23-page sample report focuses on a project's final deliverables, including a project overview, remediation roadmap, rollout plan and lessons-learned document.
Self-Assessment on Internal Controls Report
This report focuses on a self-assessment initiative, evaluating the effectiveness of the design of internal controls for a company’s operations and budget process. It describes the approach, the results, and the recommendations that resulted from the initiative.
Sensitive Data Handling Policy
The purpose of this policy is to ensure that all sensitively classified data is properly handled whether being transmitted within the organization or to a trusted third party.
Service-Level Agreement Sample
This template, which includes information on scope and service details, can be used by a company when developing a service-level agreement (SLA).
Service-Level Agreement Controls Audit Work Program
The purpose of this audit program is to assess the controls specific to a service-level-agreement (SLA). A SLA describes specific types of service levels or performance objectives that an IT provider is committed to comply with or exceed during the time covered by the agreement. The terms of the SLA can define such things as the acceptable response times for processing individual transactions or identifying and resolving various types of computing and telecommunication operating and effectiveness problems. It should stipulate the penalties for the supplier’s failure to achieve one or more service or quality levels.
Setting the 2014 Audit Committee Agenda
The profile of macroeconomic, strategic and operational risks continues to evolve in terms of significance and complexity for many organizations. The risks companies face in today’s global business environment create uncertainty for executive management and the board of directors. Given the uncertainties of the environment, this issue of The Bulletin offers observations and ideas for consideration by boards of directors and their audit committees when setting the 2014 agenda. We present 10 major challenges many companies will face over the next 12 months and summarize an agenda that is broken down into enterprise process and technology risk issues and financial reporting issues.
Setting the Audit Committee Agenda: Your Questions Answered
The February 10th Setting the 2015 Audit Committee Agenda webinar tackled a hot topic, and during the webinar, participants submitted insightful questions. We wanted to share some of those questions and their answers because they address critical topics that may be relevant for you.
Siebel/Oracle Information Security Audit Work Program
This audit program outlines procedures to evaluate six system control objectives.
So Long, Windows XP: FFIEC Warns Institutions, Providers and Third Parties of Potential Operational Risks
Information technology (IT) system migrations are a tremendous undertaking. In this article, we stress the importance of developing the necessary support structure to deal with the inevitable issues that will arise with this migration.
Software Licensure Compliance Audit Work Program
This sample work program can be modified for scope considerations that will depend on the extent of the software agreement under review.
Software Quality Perspectives
This article defines software quality and its characteristics, scope and integral relationship with other entities.
Software Testing Metrics Guide
Although crucial to software quality and widely deployed by programmers and testers, software testing still remains an art, due to limited understanding of the principles of software. This guide explains the fundamentals and importance of software testing and its metrics.
Strategic Bring Your Own Device: Implementing an Effective Program to Create Business Benefits While Reducing Risk
This white paper considers how an effective “Bring Your Own Device” (BYOD) program and strategy can help organizations meet the challenges and seize the potential business benefits of BYOD.
Strategic BYOD: "D" Is NOT for Doom
In this article, we set out clearly what the challenges are and explains how a BYOD program and strategy can help firms solve those challenges and seize those all-important benefits of BYOD.
System Backup Review Audit Work Program
The purpose of this audit program is to review an organization’s system backup procedures. This includes identifying all applications key to the organization, identifying the responsible person for the back-up procedure, analyzing actual procedures performed, and determining the appropriateness of handling related media. A key step in this work program is to identify all key applications in use at the company. In this list, include all SOX-related applications as well as any other applications deemed critical to company operations.
System Design Risk Key Performance Indicators
In successful systems design, three main components must be considered and managed effectively: quality, timeliness and cost-effectiveness. This document deals with the risks and issues regarding this "balancing act."
System Implementation Audit Work Program
The purpose of this work program is to provide the general steps used to review the system implementation process.
System Management Risk Assessment and Control Audit Work Program
Since most financial transactions are processed and maintained in the IT environment, the IT function is critical for all financial audits performed. This work program will assist audit teams with identifying risks and related controls for logical security administration and monitoring, physical security, change management, problem management, and system availability.
System Pre-Implementation Review Audit Work Program
The purpose of this document is to provide the general steps used to execute a pre-implementation review audit. This document provides audit objectives and procedures to help evaluate items such as the project management strategy, mechanisms that limit the ability to make changes to the application, and associated infrastructure testing strategies and procedures.
Systems and Application Audit Work Program
The purpose of this work program is to provide the general steps used to perform a systems and application audit. Testing examples include systems designs, component integration, interfaces and data conversion routines.
Systems Availability: The View from 30,000 Feet
The three components of services—people, products and processes—are like the three musketeers: all for one and one for all, in true holistic fashion. This article explains how they unite to provide a service to users and clients.
T
Tackling Healthcare’s Growing Cybersecurity Crisis Starts With a Proper Risk Assessment
As electronic medical records continue to evolve into the de facto standard, healthcare organizations are reaping the cost reduction and business and economic benefits. But this progress has its downside, in the form of heightened attention from cyber criminals.
Taking Audit’s Temperature in the Healthcare Industry
In the Protiviti and AHIA joint study, Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, healthcare organizations responding to Protiviti’s 2013 Internal Audit Capabilities and Needs Survey provided an updated picture of how they rate their technical knowledge and skill levels and what competencies most need improvement. This Hot Issue article further examines those and other trends impacting auditors in the healthcare industry.
TCM Audit Principles (“TCM Audit Top 10”)
This “TCM Audit Top 10” represents guiding principles that should be applied to Technology Change Management (TCM) Audits.
Technology Change Management Policy
This document provides the structure for ensuring that technological changes are consistently and properly recorded, assessed, authorized, tested, and released efficiently while effectively mitigating the risks to system availability, integrity of data, and the interoperability of the organization’s information resources.
Technology Change Management Audit Report
This report discusses the results of a technology change management (TCM) process audit. The document offers insight into of the company’s TCM practices and strategies, and identifies strengths and improvement opportunities.
Technology Risks and Controls: What You Need to Know – Questionnaire
Disclosure and internal controls seem to be commanding the headlines these days, with particular emphasis on complying with Sections 302 and 404 of The Sarbanes-Oxley Act (SOX). This document poses questions to help determine where controls over information technology (IT) fit into the picture; why is IT important; and why management and executives should care.
Ten Cybersecurity Action Items for CAEs and Internal Audit Departments
As detailed in this article, cybersecurity risk is a growing concern—not only for internal stakeholders, but for customers and insurers.
Ten Ways to Increase CAAT Use in Your Audit Department
In this article, Ann Butera asks: Are we auditors walking the talk when it comes to using computer-assisted auditing tools (CAAT)?
The Dark Side of Social Engineering
By plying on the human need for trust and acceptance, social engineers utilize influence tactics to gain information and access, which can be devastating for financial losses, stolen intellectual property and an irreparable reputation.
The Digital Wave: How It Impacts Data Management
This white paper outlines the steps to achieve a secure cloud system and avoid some common pitfalls in the process.
The Future of “Big Data” Risk Analytics and Obsolescence of the Traditional Internal Auditor
Dan Zitting, chief product officer at ACL, gives an in-depth analysis of the future of the traditional auditor, offers tips for innovation and progress in the industry, gives transformation examples from the field, and explains why the way we are paid as auditors shows that the world has changed.
The Global Privacy and Information Security Landscape: Frequently Asked Questions
As the world becomes increasingly connected, it is critical to view information security and privacy not merely as information technology (IT) issues, but also as essential business priorities. Security threats, vulnerabilities and privacy exposures challenge every organization; often organizations do not know what risks they face or how they will manage these risks. If managed properly, recognized leadership in handling personally identifiable information and driving personalized service can be a differentiator to consumers and partners and become a driver of business growth. This booklet provides legal overviews and insight regarding current laws and regulations, and guidance to implement and maintain an effective privacy and information security program from an operational perspective. Among the many topics addressed are privacy trends, security breaches, privacy programs, international laws and guidance for victims of identity theft.
The NICE Framework: Why You Need to Understand This Important Initiative
The National Initiative for Cybersecurity Education (NICE) represents a body of knowledge for the emerging field of cybersecurity, and in that respect it defines the concepts and practices that are legitimate areas of professional work and workforce education and training. The rationale and the detailed structure of this groundbreaking model are presented here along with how it fits with substantive efforts to ensure the U.S. critical infrastructure.
The PCI Security Standards Council Releases PCI DSS Version 3.2
As with every prior version or release of PCI DSS, many clarifications have been made, along with clerical changes.
The Road to Renewal: Modernizing Aging Core Systems at Financial Institutions
In this white paper, Protiviti examines the need for IT renewal in financial services institutions, assesses the risks and benefits of core modernization, and identifies five approaches to this undertaking.
The U.S. Securities and Exchange Commission and The Many Faces of Cybersecurity Liability
This article details recent actions by the U.S. Securities and Exchange Commission and addresses how various entities can be better prepared to deal with compliance, attacks and breaches.
Third-Party Access Policy
The purpose of this policy is to define security policies that apply to temporaries, contractors, consultants, and third parties, when such connectivity is necessary for business purposes. This policy covers both the physical and administrative requirements needed to manage secure network connectivity between an organization and any third party requiring access to the organization’s computing resources.
To KYD or Not to KYD: It Is Hardly a Question
As electronic medical records continue to evolve into the de facto standard, healthcare organizations are reaping the cost reduction and business and economic benefits. But this progress has its downside, in the form of heightened attention from cyber criminals.
Today’s Enterprise—Cyberthreats Lurk Amid Major Transformation
In this report, we share our key findings from this year’s Internal Audit Capabilities and Needs Survey.
Today's Big Trends in Robotics
This article looks at the global robotics ecosystem as a whole, including current trends in industrial robotics.
Top Priorities for Internal Audit in Technology
Technology companies face a growing wave of cybersecurity breaches, supply chain disruptions and IPOs. Additionally, the growing move to the cloud may represent the biggest driver of change in the industry. This disruptive change has direct implications on internal audit functions within the technology sector. Each year, Protiviti conducts its Internal Audit Capabilities and Needs Survey to assess current skill levels of internal audit executives and professionals, identify areas in need of improvement and help stimulate the sharing of leading practices throughout the profession. In this report, we will assess the technology industry results from the 2012 Internal Audit Capabilities and Needs Survey.
Training Is Key to Maximizing SharePoint Investment
If you are one of the more than 100 million customers who have purchased or licensed Microsoft SharePoint, you’ve probably adopted the platform to improve a spectrum of operations, ranging from optimizing business processes to enhancing efficiency to having better access to analytics within your organization. Are you maximizing your investment?
Transaction Authority Risk Key Performance Indicators (KPIs)
This tool explains the meaning of transaction authority risk and transaction authenticity, outlines business risks related to transaction authority, and shares management practices and questions to consider.
U
Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective
This white paper discusses the FFIEC Assessment Tool, which supplements the popular NIST framework with guidance specific to federally supervised financial institutions.
UNIX Security Audit Work Program
This audit program outlines steps for reviewing the security of systems running the UNIX operating system.
Upload Data from General Ledger to the Consolidations System
This questionnaire focuses the financial close process, specifically when data is uploaded the general ledger (G/L) to the consolidations system. This document includes: a process description, key risks, expected key controls, and key questions to ask during this process review.
User Information Security Policy
This sample policy provides guidelines for securing user information.
User Malicious Software Policy
The purpose of this security policy is to outline the user’s responsibilities in ensuring updates and maintenance of anti-virus computer software.
V
Views on Internal Audit, Internal Controls and Internal Audit’s Use of Technology
This article outlines how the use of technology in the audit process continues to grow, but there is room for improvement.
Virtual Private Network (VPN) Administration Audit Work Program
This audit work program includes test steps in the areas of documentation, logging, monitoring and user pool for VPN administration.
Virtual Reality Check: Managing the Internet of Things
The increased interconnection of mobile and sensory devices is expected to usher in a new era of automation, smart objects and data sources—the possibilities are almost limitless as the Internet of Things reshapes the Internet of tomorrow.
Virus Awareness Policy: Employee Responsibilities
This policy highlights an employee's responsibility with regard to keeping their workstation virus free. The document describes tasks that an employee should undertake on a routine basis to identify and remove infected files.
Virus Protection Policy
This sample policy outlines procedures for preventing virus infestation from electronic mail attachments and external disks and software.
W
Watch What You Say: Auditing Cybersecurity Disclosures
In the face of data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators—and insurers—are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs—people, processes and technology—are consistent with reality. The price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim. In this article, we stress the importance of having a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST), in place.
When It Comes to IT Audit, Where Does Your Department Rate?
Along with mushrooming changes in information technology comes a new set of challenges for audit departments to address. This article explores how Protiviti’s 2014 IT Audit Benchmarking Survey puts the subject into perspective and provides a basis for comparison on how organizations are implementing IT audit programs and practices.
Y
You Can’t Protect Intellectual Property and Sensitive Data Unless You Know What You are Trying to Protect
In this article, we discuss the critically important information that those who are charged with the responsibility of assessing the effectiveness of network security should be aware of.