Back

Define and assign the internal audit staff's roles and responsibilities.


CONTROL ID
00681
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Define the roles and responsibilities for personnel assigned to tasks in the Audit function., CC ID: 00678

This Control has the following implementation support Control(s):
  • Assign the responsibility for operating an internal control system to the internal audit staff., CC ID: 01187


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Standard § I.4(4): The examination and assessment of the design and operation of internal controls are the responsibility of the internal auditors. As part of their monitoring function, they will prompt remedial action. Practice Standard § I.2(5)[2].C: The performance of Directors and other person… (Standard § I.4(4), Practice Standard § I.2(5)[2].C, Practice Standard § I.4(4), Practice Standard § II.3(1)[1], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization shall establish a system audit department to track and evaluate the effectiveness, conformity, reliability, safety, and efficiency of computer systems and system management. (O91, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The audit committee should meet with the internal auditors at least annually. (¶ 11.5, CODE OF CORPORATE GOVERNANCE 2005)
  • An auditor is required to have a degree or certificate from a university or institution that includes not less than 3 years of accountancy and auditing courses, not less than 2 years of commercial law courses, or other qualifications or equivalent experience. An auditor must be independent from the … (Sched 1 ¶ 53, Sched 1 ¶ 95, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • The internal audit staff should be an independent function and should not be directly responsible for risk management. (¶ 17, Principle 2, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • An adequate management framework should be in place to support the continuity recovery testing. One suggested role is Compliance/Audit for overseeing the recovery exercises and rehearsals and for ensuring they meet regulatory requirements and meet external auditors' expectations. (§ 9.6 ¶ 2(b), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Application controls should be a priority of all internal auditors. The internal auditors roles include evaluating business processes and understanding and assessing automated process controls; a general understanding of IT (level will depend on the category of auditing or audit supervision they per… (§ 5.3.7 ¶ 1, § 7.3.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The internal audit function should be comprised of general auditors and highly technical personnel who understand the application controls. Alternative resource staffing may be required for audits where IT audit constraint is an issue to supplement the expertise of the internal audit staff. (§ 4.7 ¶ 6, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Before performing an IT project audit, internal auditors should communicate with the project management offices as part of the planning and scoping process. Significant value can be added to the project when internal auditors engage early and support the project team throughout the lifecycle. A perc… (§ 4.1, § 4.2 ¶ 2, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • Internal auditors should help management identify issues and help ensure they are corrected in a timely fashion. Internal auditors are responsible to ensure risk management processes have been implemented and should conduct reviews on the change management process on a regular basis. (§ 3.3 ¶ 4, § 7 ¶ 5, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • Auditors should assess the combined results of continuous auditing and monitoring to provide continuous assurance on the effectiveness of internal controls. (§ 4 (Continuous Auditing) ¶ 5, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • The Chief Audit Executive (CAE) should ensure the IT risk assessment process is completed by appropriate personnel. (§ 4.5 (Robust IT Risk Assessment), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • An internal auditor can help an organization meet privacy objectives and contribute to good governance and accountability by determining what privacy regulations and legislation are applicable; assessing the implemented information security and data protection controls and reviewing them regularly; … (§ 2.2 (Privacy Controls) ¶ 3, § 5.1 ¶ 2, § 5.8 ¶ 4, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Internal auditors provide executive management with recommendations on the organization's compliance with internal and regulatory requirements, raise its awareness of likely vulnerabilities and impacts, identify possible sources of risk, helping to avoid regulatory violations or security incidents, … (§ 2.3 ¶ 4, IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • Internal auditors must be able to evaluate business process controls and have the appropriate knowledge of key IT controls, risks, and auditing techniques to perform their work. They must be proficient enough to be able to determine if application controls have been appropriately designed and they a… (§ 2 (The Role of Internal Auditors), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • Internal auditors are responsible to ensure the information systems comply with the control procedures. Internal auditors should conduct unannounced audits on laptop users to ensure they are complying with the organization's encryption requirements. (Pg 12-II-23, Pg 12-IV-6, Protection of Assets Manual, ASIS International)
  • The security audit plan should include details about resources required to conduct the audit (e.g., people, software, and office space), from the perspective of the auditors and the business owner. (SI.01.02.06a, The Standard of Good Practice for Information Security)
  • The security audit plan should include details about key tasks to be undertaken and responsibilities for those tasks (i.e., who will perform the tasks). (SI.01.02.06c, The Standard of Good Practice for Information Security)
  • The security audit plan should include details about resources required to conduct the audit (e.g., people, software, and office space), from the perspective of the auditors and the business owner. (SI.01.02.06a, The Standard of Good Practice for Information Security, 2013)
  • The security audit plan should include details about key tasks to be undertaken and responsibilities for those tasks (i.e., who will perform the tasks). (SI.01.02.06c, The Standard of Good Practice for Information Security, 2013)
  • The IT auditor should determine if the countermeasures adequately protect the data and if they have been implemented correctly. If they have been implemented correctly, the system should be allowed to operate. (§ 6.1.2, ISO 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005)
  • The internal audit function should conduct independent reviews of the organization's approach to implementing and managing information security. This review is to ensure the effectiveness and adequacy of the information security policy. The results should be reported to management and maintained by … (§ 6.1.8, ISO 27002 Code of practice for information security management, 2005)
  • Selecting internal auditors can be difficult for smaller companies. If the necessary resources and competence are not available internally, external auditors should be appointed. When organizations use external auditors, they should ensure that they have acquired enough knowledge about the context o… (§ 9.2 Guidance ¶ 9, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Internal auditors should assist management and the audit committee by monitoring, evaluating, and recommending improvements to the enterprise risk management process. Internal auditors should not have operating responsibilities. (Pg 97, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The nature of the internal audit function's responsibilities and how the internal audit function fits in the service organization's organizational structure (¶ 2.112(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may determine, however, that the examination can be performed more effectively or efficiently by using the work of the internal audit function or obtaining direct assistance from internal audit function personnel. The phrase "using the work of the internal audit function" usually… (¶ 2.154, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should understand the activities and the responsibilities of the internal audit function to determine if they are likely to be relevant to the audit. (¶ .28, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The responsibilities of the practitioner (AT-C Section 205.08 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The responsibilities of the practitioner (AT-C Section 215.14 e., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The nature of the internal audit function's responsibilities and how the internal audit function fits in the service organization's organizational structure (AT-C Section 320.21 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Review the membership list of board, steering committee, and/or relevant management committees established to review IT activities. Determine whether board, senior management, lines of business, audit, and IT personnel are represented appropriately, and whether regular meetings are held and minutes … (App A Objective 2:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The internal audit staff should perform their duties with impartiality and not be influenced by senior management and day-to-day operations managers. The internal audit staff should assess the controls, reliability, and integrity of the organization; identify the weaknesses of the system; review the… (Pg 4, Pg 6, FFIEC IT Examination Handbook - Audit, August 2003)
  • The internal audit function should independently review the adequacy of the continuity testing program. (Pg H-2, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should ensure the internal auditor's training and experience are adequate and the auditing techniques of the third party service provider are appropriate. (Pg 22, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The internal auditors should periodically conduct independent reviews of the funds transfer operation. (Pg 32, Exam Tier II Obj 2.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Calls for an auditor to gain an understanding of an organization's operations by reviewing all systems, applications and documentation pertaining to the items and systems to be scrutinized. (§ 2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The auditor should obtain an understanding of the entity sufficient to plan and perform the audit in accordance with applicable auditing standards and requirements. In planning the audit, the auditor gathers information to obtain an overall understanding of the entity and its origin and history, siz… (§ 220.01, GAO/PCIE Financial Audit Manual (FAM))
  • Auditors should have technical training, be proficient and independent, and exercise due professional care, including professional skepticism. To be independent, an auditor should not act as management or an employee of the client, audit his or her own work, or have conflicting or mutual interests w… (¶ 30 thru ¶ 36, PCAOB Auditing Standard No. 2)
  • The auditor should have proficiency, technical training, and independence and should exercise "due professional care." (¶ 4, PCAOB Auditing Standard No. 5)