Ensure the Internal IT Audit staff is responsible for operating a system of internal controls and are trained.

UCF ID: 01187
Control Type: Establish Roles
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 17; FFIEC IT Examination Handbook – Audit, August 2003, Pg 6, Exam Tier I Obj 5.2; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 23; Securities Exchange Act of 1934, § 78m(b)(2)(B); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AT-3.3; CODE OF CORPORATE GOVERNANCE 2005, ¶ 13.2; BIS Sound Practices for the Management and Supervision of Operational Risk, Principle 2; Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004, ¶ III.3.7.1; Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 43

Sarbanes Oxley Guidance

The auditor may use work that was performed by internal auditors to provide evidence on the effectiveness of internal control over financial reporting. [¶ 17, PCAOB Auditing Standard No. 5]

Banking and Finance Guidance

Internal auditors should perform operational and system development audits to ensure internal controls are implemented, policies and procedures are effective, and the staff are following the policies and procedures. [Pg 6, Exam Tier I Obj 5.2, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should periodically perform "around-the-computer" and "through-the-computer" audits. "Around-the-computer" techniques include spot-checking computer calculations, reviewing source input to ensure required approval was received prior to changes being made, developing data controls, reviewing exception reports, sampling rejected items to determine why they did not process, and assessing controls periodically. "Through-the-computer" audit techniques allow the auditor to use computer software programs to check and test the data. [Pg 23, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The internal audit staff should be competent and appropriately trained. [Principle 2, BIS Sound Practices for the Management and Supervision of Operational Risk]

NASD NYSE Guidance

The organization must maintain internal accounting controls that provide reasonable assurances that transactions are completed in accordance with management's authorization; ensure all transactions are recorded to maintain asset accountability and to permit financial statements to be prepared in accordance with generally accepted accounting principles; ensure asset access is only permitted with management's authorization; and ensure the current assets are compared with the recorded assets at regular intervals and any differences are corrected. [§ 78m(b)(2)(B), Securities Exchange Act of 1934]

US Federal Security Guidance

Auditors should be qualified to assess the specific risks that arise from specific uses of technology. [¶ 43, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

NIST Guidance

The security training materials for the Internal IT Audit Staff should be reviewed to ensure that appropriate procedures necessary to perform their operational duties are included. [AT-3.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Other European and African Guidance

The internal controls must be monitored. The Board of Directors must be kept informed of the monitoring on a regular basis and evaluate how well the internal controls are functioning. [¶ III.3.7.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004]

Asia and Pacific Rim Guidance

The standards that are set by professional organizations, such as those for the Standards for the Professional Practice of Internal Auditing set by The Institute of Internal Auditors, should be met or exceeded by the internal auditor. [¶ 13.2, CODE OF CORPORATE GOVERNANCE 2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of individuals who have access to security software and who are trained and authorized security administrators. [UCF Control ID 01691]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.