Define the roles and responsibilities of the Internal IT Audit staff.

UCF ID: 00681
Control Type: Establish Roles
Status: Live

Supporting and supported controls

This control directly supports:

    Define the roles and responsibilities, in a clear manner, of all personnel involved in the auditing process. [UCF Control ID 00678]

This control has the following supporting controls:

    Ensure the Internal IT Audit staff is responsible for operating a system of internal controls and are trained. [UCF Control ID 01187]

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 97; PCAOB Auditing Standard No. 5, ¶ 4; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § II.B.2, App A § II.B.3; FFIEC IT Examination Handbook – Audit, August 2003, Pg 4, Pg 6; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg H-2; FFIEC IT Examination Handbook – Information Security, Pg 7; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 22; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 32, Exam Tier II Obj 2.1; Protection of Assets Manual, ASIS International, Pg 12-II-23, Pg 12-IV-6; Federal Information System Controls Audit Manual (FISCAM), February 2009, § 2.1; GAO/PCIE Financial Audit Manual (FAM), § 220.01; ISO/IEC 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005, § 6.1.2; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 6.1.8; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 6; ISO/IEC 27002 Code of practice for information security management, 2005, § 6.1.8; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 53, Sched 1 ¶ 95; CODE OF CORPORATE GOVERNANCE 2005, ¶ 11.5; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 17, Principle 2; PCAOB Auditing Standard No. 2, ¶ 30 thru ¶ 36; PAS 77 IT Service Continuity Management. Code of Practice, 2006, § 9.6 ¶ 2(b)

Sarbanes Oxley Guidance

Internal auditors should assist management and the audit committee by monitoring, evaluating, and recommending improvements to the enterprise risk management process. Internal auditors should not have operating responsibilities. [Pg 97, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should have proficiency, technical training, and independence and should exercise "due professional care." [¶ 4, PCAOB Auditing Standard No. 5]

Auditors should have technical training, be proficient and independent, and exercise due professional care, including professional skepticism. To be independent, an auditor should not act as management or an employee of the client, audit his or her own work, or have conflicting or mutual interests with the client. Further, the auditor must not serve as an advocate for his or her client. [¶ 30 thru ¶ 36, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

The audit staff should be independent and qualified. [App A § II.B.2, App A § II.B.3, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The internal audit staff should perform their duties with impartiality and not be influenced by senior management and day-to-day operations managers. The internal audit staff should assess the controls, reliability, and integrity of the organization; identify the weaknesses of the system; review the plan for correcting the weaknesses; monitor the correction process; and report to the Board of Directors. [Pg 4, Pg 6, FFIEC IT Examination Handbook – Audit, August 2003]

The internal audit function should independently review the adequacy of the continuity testing program. [Pg H-2, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

The internal auditors should conduct audits to ensure controls, policies, and procedures have been implemented. They should report their findings to the Board of Directors. [Pg 7, FFIEC IT Examination Handbook – Information Security]

The organization should ensure the internal auditor's training and experience are adequate and the auditing techniques of the third party service provider are appropriate. [Pg 22, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The internal auditors should periodically conduct independent reviews of the funds transfer operation. [Pg 32, Exam Tier II Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The internal audit staff should be an independent function and should not be directly responsible for risk management. [¶ 17, Principle 2, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

Calls for an auditor to gain an understanding of an organization’s operations by reviewing all systems, applications and documentation pertaining to the items and systems to be scrutinized. [§ 2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

The auditor should obtain an understanding of the entity sufficient to plan and perform the audit in accordance with applicable auditing standards and requirements. In planning the audit, the auditor gathers information to obtain an overall understanding of the entity and its origin and history, size and location, organization, mission, business, strategies, inherent risks, fraud risks, control environment, risk assessment, communications, and monitoring. Understanding the entity's operations in the planning process enables the auditor to identify, respond to, and resolve accounting and auditing problems early in the audit. [§ 220.01, GAO/PCIE Financial Audit Manual (FAM)]

ISO Guidance

The IT auditor should determine if the countermeasures adequately protect the data and if they have been implemented correctly. If they have been implemented correctly, the system should be allowed to operate. [§ 6.1.2, ISO/IEC 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005]

The internal audit function should conduct independent reviews of the organization's approach to implementing and managing information security. This review is to ensure the effectiveness and adequacy of the information security policy. The results should be reported to management and maintained by the organization. [§ 6.1.8, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The names of the personnel responsible for conducting audits should be documented. The auditors conducting the internal audits should ensure impartiality and objectivity to the audits and should not audit their own work. [§ 6, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

The internal audit function should conduct independent reviews of the organization's approach to implementing and managing information security. This review is to ensure the effectiveness and adequacy of the information security policy. The results should be reported to management and maintained by the organization. [§ 6.1.8, ISO/IEC 27002 Code of practice for information security management, 2005]

General Guidance

Internal auditors are responsible to ensure the information systems comply with the control procedures. Internal auditors should conduct unannounced audits on laptop users to ensure they are complying with the organization's encryption requirements. [Pg 12-II-23, Pg 12-IV-6, Protection of Assets Manual, ASIS International]

UK and Canadian Guidance

An adequate management framework should be in place to support the continuity recovery testing. One suggested role is Compliance/Audit for overseeing the recovery exercises and rehearsals and for ensuring they meet regulatory requirements and meet external auditors' expectations. [§ 9.6 ¶ 2(b), PAS 77 IT Service Continuity Management. Code of Practice, 2006]

Asia and Pacific Rim Guidance

An auditor is required to have a degree or certificate from a university or institution that includes not less than 3 years of accountancy and auditing courses, not less than 2 years of commercial law courses, or other qualifications or equivalent experience. An auditor must be independent from the organization. An auditor is considered independent if he/she does not influence the operational or financial policies of the organization; does not participate in the business activities of the accounting and auditing divisions; and has no financial arrangements with the organization, except for regular payments of a predetermined amount to conduct the audit. [Sched 1 ¶ 53, Sched 1 ¶ 95, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

The audit committee should meet with the internal auditors at least annually. [¶ 11.5, CODE OF CORPORATE GOVERNANCE 2005]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.