Back

Assign the responsibility for operating an internal control system to the internal audit staff.


CONTROL ID
01187
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define and assign the internal audit staff's roles and responsibilities., CC ID: 00681

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The standards that are set by professional organizations, such as those for the Standards for the Professional Practice of Internal Auditing set by The Institute of Internal Auditors, should be met or exceeded by the internal auditor. (¶ 13.2, CODE OF CORPORATE GOVERNANCE 2005)
  • The internal controls must be monitored. The Board of Directors must be kept informed of the monitoring on a regular basis and evaluate how well the internal controls are functioning. (¶ III.3.7.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • The internal audit staff should be competent and appropriately trained. (Principle 2, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • IT audit specialists are required to assess controls in the systems software controls area. Smaller organizations should consider outsourcing, since they are unlikely to have the available resources. IT auditors require a highly specific set of knowledge, much of which comes from experience. However… (§ 5.3.5 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Internal auditors must collectively have the skills, knowledge, and other competencies needed to perform their responsibilities and should have a high degree of proficiency in information technology and the audited subject matter. To support continuous auditing, properly trained and knowledgeable au… (§ 6 (Build Audit Technical Skills and Knowledge) ¶ 1, § 6 (Build Audit Technical Skills and Knowledge) ¶ 2, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • IT auditors need more training than a process or operational auditor and needs to be trained early and often to stay abreast of the technology. The training strategy should consider the needs of the IT auditor and should develop expertise in a broad range of topics by assigning IT auditors to become… (§ 6.2 (IT Auditor Retention Strategy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Is there a full time internal security team assigned to protecting the cloud computing infrastructure? (§ V.1.19, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization must maintain internal accounting controls that provide reasonable assurances that transactions are completed in accordance with management's authorization; ensure all transactions are recorded to maintain asset accountability and to permit financial statements to be prepared in acc… (§ 78m(b)(2)(B), Securities Exchange Act of 1934)
  • Internal auditors should perform operational and system development audits to ensure internal controls are implemented, policies and procedures are effective, and the staff are following the policies and procedures. (Pg 6, Exam Tier I Obj 5.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should periodically perform "around-the-computer" and "through-the-computer" audits. "Around-the-computer" techniques include spot-checking computer calculations, reviewing source input to ensure required approval was received prior to changes being made, developing data controls, r… (Pg 23, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The security training materials for the Internal IT Audit Staff should be reviewed to ensure that appropriate procedures necessary to perform their operational duties are included. (AT-3.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Auditors should be qualified to assess the specific risks that arise from specific uses of technology. (¶ 43, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • The auditor may use work that was performed by internal auditors to provide evidence on the effectiveness of internal control over financial reporting. (¶ 17, PCAOB Auditing Standard No. 5)