|Two new Global Technology Audit Guides (GTAGs), were posted last week in the Standards and Guidance section of The IIA’s website. They are available for free member download in PDF format: |
· In most organizations, selected staff members are permitted as a matter of business necessity to extract, manipulate, analyze, and report on enterprise data using spreadsheets, databases, or other user-developed applications (UDAs) with little or no support from the IT function. This practice, of course, gives rise to risks concerning data integrity, availability, and confidentiality. New GTAG 14, Auditing User-developed Applications, explores, among other topics, how best to risk rate and scope a UDA audit. The 32-page GTAG also proffers a sample audit program, best practices for implementing controls over UDAs, and advice on how internal auditors can work in a consulting role to help management develop an effective UDA control framework.
· Standard 2110.A2 of The IIA’s International Standards for the Professional Practice of Internal Auditing requires the internal audit activity to assess whether the organization’s IT governance sustains and supports agreed-upon strategies and objectives. And no wonder: IT failures, especially information security (IS) breaches, can place the organization at risk for reputation damage, diminished competitiveness, noncompliance with laws and regulations, and other adverse consequences. New GTAG 15, Information Security Governance, explores internal auditing’s roles in and responsibilities for IS. The 28-page GTAG also can help to plan, test, and analyze IS governance audits.
GTAGs, which are written in straightforward business language to address timely issues in IT management, control, and security, are strongly recommended, but not mandatory, guidance under The IIA’s International Professional Practices Framework.