Internal audit program

Status: Live

The organization will develop, disseminate, and review: 1) a formal internal audit program policy and standards that address purpose, scope, RACI chart info, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00684]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.6; PCAOB Auditing Standard No. 5, ¶ 3, ¶ 71; The Sarbanes-Oxley Act of 2002, § 40; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Exposure Limits; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § II.B.1, App A § II.B.4; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 6, Pg 86; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 165, ¶ 443, ¶ 620(f), ¶ 744; FFIEC Guidance on Authentication in an Internet Banking Environment, Pg 5; FFIEC IT Examination Handbook – Audit, August 2003, Pg 4, Pg 11, Pg 12; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 4, Exam Tier I Obj 4.7; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 21, Pg A-2; FFIEC IT Examination Handbook – Management, Pg 14, Pg 27; FFIEC IT Examination Handbook – Operations, July 2004, Pg 41; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 32, Exam Tier II Obj 8.7; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 32, Exam Tier II Obj 2.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(1)(ii)(D); Federal Information Security Management Act of 2002 (FISMA), § 3545; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Federal Information System Controls Audit Manual (FISCAM), February 2009, App VI.1; GAO/PCIE Financial Audit Manual (FAM), § 210; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 6.3; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § G.4.1.5; ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 10; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 5.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.4.5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AU-1; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 5.3 Process; The Standard of Good Practice for Information Security, SM7.1.1, SM7.1.2, CB5.4.1, CB5.4.4, CI5.5.1, CI5.5.4, NW4.5.1, NW4.5.4, SD2.3.1, SD2.3.4; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.3(e), § 5.1, § 6; OECD Principles of Corporate Governance, 2004, § VI.D; IT Service Management Standard , BS ISO/IEC 20000-1:2005, § 4.3; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 4.3, § 4.3.1; Financial Reporting Council, Combined Code on Corporate Governance, June 2008, § C.3.5; Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 42 thru ¶ 47; Australian Government ICT Security Manual (ACSI 33), § 3.5.19, § 3.7.29; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 63; CODE OF CORPORATE GOVERNANCE 2005, ¶ 13.3; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 16, Principle 2; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 4.1.1, ¶ 4.2.2; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.3.7.2; Archer Control Table, ATCS-012, ATCS-507

Sarbanes Oxley Guidance

The organization should perform audits of the system periodically with either internal or external auditors. [ID 8.2.6, AICPA/CICA Privacy Framework]

The auditor should plan and perform an audit to provide reasonable assurance that material weaknesses do not exist in the internal control over financial reporting process. The auditor should evaluate all evidence obtained from all sources to form an opinion on the effectiveness of internal control over financial reporting. [¶ 3, ¶ 71, PCAOB Auditing Standard No. 5]

The organization must develop auditing standards that include preparing and maintaining audit work papers for not less than 7 years, providing a second review and obtaining approval of the audit report, and describing the scope of the auditor's internal control tests. [§ 40, The Sarbanes-Oxley Act of 2002]

Banking and Finance Guidance

The annual audit should include verifying that the organization has established an exposure limit, reviewing its exposure periodically, and monitoring entries relative to the exposure limit. [Exposure Limits, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

The organization should have an internal auditing function. The internal audit function should ensure the information systems are adequately tested and reviewed. If the organization is not big enough for an audit function, it should use independent reviews of key internal controls. [App A § II.B.1, App A § II.B.4, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The internal and/or external auditors should test transactions in all areas of the organization and verify the adequacy of employees' knowledge of regulations, the completeness of training programs, the integrity and effectiveness of controls, and the process of identifying suspicious activities. [Pg 6, Pg 86, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The internal auditing process should include an independent review of the risk measurement system. Internal audit must review the organization's rating system and operations at least annually. The internal audit should review the organization's adherence to applicable minimum requirements and document all of its findings. Internal or external auditors should regularly review the internal assessment process and the validity of the assessments. [¶ 165, ¶ 443, ¶ 620(f), ¶ 744, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

An internal or external auditor should review the Security Administrator's actions to ensure system security is properly maintained. [Pg 5, FFIEC Guidance on Authentication in an Internet Banking Environment]

Policies and procedures for conducting audits should be developed and approved by the Board of Directors. The audit program should include the purpose, objectives, and responsibilities of all involved personnel; risk assessments to analyze the risks; an audit plan for a 12-month period that describes the goals, schedules, and staffing needs; the scope of the auditing work, including the audit procedures and the extent of the testing; written audit reports to the Board of Directors and senior management; the requirements for work paper documentation; follow-up processes for checking on deficiencies that are being corrected; and development programs for the auditors. [Pg 4, Pg 11, Pg 12, FFIEC IT Examination Handbook – Audit, August 2003]

The internal and/or external auditor should review the organization's continuity plan at least annually. [Pg 4, Exam Tier I Obj 4.7, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

For organizations offering e-banking services, the audit program should be expanded. The scope should now include the entire e-banking process and the organization should ensure the personnel involved in the audit have the expertise to evaluate the threats to an open network. The audit program should include the risks associated with e-banking. [Pg 21, Pg A-2, FFIEC IT Examination Handbook – E-Banking, August 2003]

An internal and external audit program should exist to ensure the internal controls are adequate. Independent audits should be conducted to verify that controls exist and are functioning correctly. [Pg 14, Pg 27, FFIEC IT Examination Handbook – Management]

The audit function should review the control self-assessments for accuracy and quality and may use them to plan the scope of any necessary audit work. [Pg 41, FFIEC IT Examination Handbook – Operations, July 2004]

Auditors should review the accounting controls, assess the effectiveness of procedures, and validate the internal control environment of the organization. [Pg 32, Exam Tier II Obj 8.7, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Organizational audits should be used to verify the effectiveness of the control environment and identify deficiencies that need to be corrected. [Pg 32, Exam Tier II Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The Board of Directors should ensure that an effective and comprehensive internal audit program be established. The internal audit should verify that procedures and policies are implemented effectively. [¶ 16, Principle 2, BIS Sound Practices for the Management and Supervision of Operational Risk]

Healthcare and Life Science Guidance

Health care organizations should “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” and should perform an “information system activity review” – the equivalent of an internal audit program. [§ 164.308(a)(1)(ii)(D), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

US Federal Security Guidance

Each organization with an appointed Inspector General under the Inspector General Act of 1978 should be annually evaluated by the Inspector General or an independent external auditor. Which of these two will conduct the audit is determined by the Inspector General. [§ 3545, Federal Information Security Management Act of 2002 (FISMA)]

Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Is a great source for defining the scope of an audit – even if their definition is for a review of control objectives in support of financial statements. Drawing from the first part of their overall audit planning strategy material, there are four steps to consider (the numbering of these steps is ours).
1a. Identify significant information processes, systems, and IT assets. Then document the relation of materiality to those information processes, information systems, and IT assets.
1b. Analyze for input, output, master files, rejected transactions within the information processes. Then document those processes, the information systems supporting those processes, and individual IT assets that support the information systems.
1c. Perform an assessment of the framework and general controls already in place.
1d. Assess whether the controls are likely to be effective (i.e., are there controls that are lacking?). If they are not thought to be effective, then document the assessed deficiencies in the framework and reassess the framework itself or the individual controls. [App VI.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

One of the keys to a quality audit is planning. The explicitly point out that “planning requires the involvement of senior members of the audit team.” They also point out that scoping and planning is an iterative process performed throughout the audit. The example they use is that findings from the internal control phase could directly affect planning the substantive audit procedures. [§ 210, GAO/PCIE Financial Audit Manual (FAM)]

US Internal Revenue Guidance

The IRS requires organizations that use Federal Tax Information (FTI) to conduct internal inspections to ensure required safeguards are implemented and maintained. The internal inspection should be conducted by a function other than the one using the FTI. All local offices that receive FTI should be reviewed every 3 years. The facility that houses the FTI and the computer facility should be reviewed every 18 months. [§ 6.3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Records Management Guidance

The audit program should “cover all aspects of records keeping; specify performance indicators used to analyze efficiency and effectiveness; assign responsibility for the conduct and reporting of the audit; specify methods for collecting information; specify the period and frequency of reviews; and provide a secure report that can be used for comparative purposes over time.” [§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

Internal auditing should be conducted to ensure that the organization is in compliance with its policies and procedures. [§ 10, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

The internal audits should “take place regularly at intervals agreed and set down in the organization’s records management policy.” [§ 5.1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]

NIST Guidance

[§ 3.4.5, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization should develop, disseminate, and periodically review/update: a formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, and compliance; and, formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.” The document also calls for government agencies to adopt strict internal audit programs. [AU-1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure an audit and accountability policy and procedure is documented, disseminated, reviewed, and updated; the audit and accountability policies and procedures are continuously applied; and specific responsibilities and actions are defined for the implementation of the audit and accountability policy control. Any problems discovered during the implementation of the audit and accountability policy control should be documented and used to improve the controls. The audit and accountability policies and procedures should be examined for purpose, scope, responsibilities; compliance with laws, regulations, and directives; and consistency with the organization's mission and function.
Interviews should be conducted with personnel who use the audit and accountability policies and procedures while performing their jobs. [AU-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

The organization should regularly conduct internal audits of the Information Security Management System (ISMS). These internal audits should ensure the ISMS meets all applicable laws and regulations, information security requirements, performs as expected, and is properly maintained. [§ 4.2.3(e), § 5.1, § 6, ISO 27001:2005, Information Security Management Systems - Requirements]

General Guidance

A good audit plan is expected to include:
identification of the type of audit to be carried out
identification of audit objectives
identification of the standard audit framework to be used
a clear definition of the scope of the audit
a definition of the audit approach
identification of audit evaluation criteria
determine requirements for specific subject expertise or third party assistance
The actual audit involves reviewing all collected information about the organization’s systems then compiling them into a report. Additional interviews should be conducted if the report raises any questions. Documentation that may be relevant to the audit should be examined and a final opinion should be formed on the condition of systems audited. The opinion should balance the interests of the audit sponsor with benchmarks set by external sources. Based on the opinion, a remedial action plan should be created to implement any key audit report recommendations. In addition, a monitoring process should be provided to ensure that the action plan is appropriately implemented. [Stage 5.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

Independent security audits should be performed regularly on critical systems, networks, applications, and systems development activities. Individuals with sufficient auditing skills should perform the security audits with the assistance of automated software tools. The results should be validated by third parties. [SM7.1.1, SM7.1.2, CB5.4.1, CB5.4.4, CI5.5.1, CI5.5.4, NW4.5.1, NW4.5.4, SD2.3.1, SD2.3.4, The Standard of Good Practice for Information Security]

EU Guidance

The organization should implement an internal audit program. [§ VI.D, OECD Principles of Corporate Governance, 2004]

UK and Canadian Guidance

An “audit program to be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of the previous audits.”is called for [§ 4.3, IT Service Management Standard , BS ISO/IEC 20000-1:2005]

[§ 4.3, § 4.3.1, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

If the organization does not have an internal audit function, the audit committee should evaluate, on an annual basis, if the organization needs the audit function and make a recommendation to the Board. [§ C.3.5, Financial Reporting Council, Combined Code on Corporate Governance, June 2008]

[¶ 42 thru ¶ 47, Turnbull Guidance on Internal Control, UK FRC, October 2005]

Other European and African Guidance

The organization should implement an internal audit function. The internal audit function should ensure that the processes used by management adequately identify and monitor risks; the internal control systems are operating effectively; a process exists for feedback; and the Board of Directors receives reliable and accurate information from management. If the Board decides not to implement an internal audit function, the annual report should include an explanation of how the organization will ensure the internal controls, processes, and systems are operating effectively. [¶ 4.1.1, ¶ 4.2.2, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

If the organization does not have an internal audit function, it must evaluate the need for it annually. [¶ III.3.7.2, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

The configuration baseline should be compared against the actual configuration on a regular basis to ensure no changes have been made to the system without proper approval. [§ 3.5.19, § 3.7.29, Australian Government ICT Security Manual (ACSI 33)]

The nature of the audit, the degree to which the auditor was involved in the audit process, and the responsibility level of the auditor in relation to the audit must be examined to determine the significance of the audit work. [Sched 1 ¶ 63, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

The audit committee should ensure that the internal audit function is staffed appropriately and has adequate resources to carry out its duties. [¶ 13.3, CODE OF CORPORATE GOVERNANCE 2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of required internal and external audits completed and reviewed [UCF Control ID 01677]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.