GTAG_Overall1

7/23/2019 GTAG_Overall1

1/29

www.theiia.org

Global Technology Audit Guide

The Institute of Internal Auditors(www.theiia.org/technology)


2/29

www.theiia.org

This presentation covers:

What is GTAG?

Who is GTAG target audience?

Who are involved the GTAGdevelopment?

How many guides have beenpublished?

What members think of GTAG series?

What are the future GTAG topics?

How to get GTAG?


3/29

www.theiia.org

What is GTAG

GTAG Global Technology Audit Guide

To provide easytounderstandinformation technology audit guides to

!hief Audit "#ecutives$ Audit!ommittees and "#ecutive %anagement

To provide a mechanism to &uicklyaddress new 'T 'ssues

To produce technical audit guides on aglobal scale


4/29

www.theiia.org

Who is GTAG target audience

(rimary target !hief Audit "#ecutive )!A"* %any !A"s face the challenge to understand technology$

which is necessary to plan and conduct internal audit. !A"s are not wellserved by many e#isting guides$ such

as !o+'T$ which tend to target technical 'T auditor and'T management

Given the broad responsibility of !A"s$ GTAG seriesprovide them a high level overview on risk managementand control related to 'T.

GTAG is practically immeasurable to busy e#ecutives whoneed to &uickly understand technology issues andevaluate the impact on their organi,ation.


5/29

www.theiia.org

Who are involved in GTAG

develop!ent Advanced Technology !ommittee - select

topics based on the members needs/ overseedevelopment of guides and develop contents

(artners with other professional organi,ation -broaden audience for guides and contribute tocontent- A'!(A$ 0A!1$ !'2$ 3"'$ '22A$ 2ans 'nstitute$

!arnegie %ellon 2"'

''A global affiliates participate the reviewingprocess


6/29

www.theiia.org

"# GTAGs published GTAG-1: IT Controls (2005)

GTAG-2: Change and Patch Management Controls (2005)

GTAG-3: Contn!o!s A!dtng (2005)

GTAG-": Management o# IT A!dtng (200$)

GTAG-5: Managng and A!dtng Pr%ac& 'ss (200$)

GTAG-$: Managng and A!dtng IT !lnera*ltes (200$)

GTAG-+: In#ormaton Technolog& ,!tso!rcng (200+)

GTAG-: A!dtng A..lcaton Controls (200+)


7/29

www.theiia.org

"# GTAGs published GTAG-/: Identt& and Access Management (200+)

GTAG-10: !sness Contn!t& Management (200)

GTAG-11: e%elo.ng the IT A!dt Plan (200)

GTAG-12: A!dtng IT Proects (200/)

GTAG-13: ra!d Pre%enton 4 etecton n an A!tomated orld(200/)

GTAG-1": A!dtng 6ser-de%elo.ed A..lcatons (200/)

GTAG-15: In#ormaton 7ec!rt& Go%ernance (200/)


8/29

www.theiia.org

GTAG$"

Infor!ation Technology %ontrols't covers4

5nderstanding of 'T controls

'mportance of 'T controls

6rgani,ational roles andresponsibilities for ensuring 'Tcontrols

Analy,ing risks

%onitoring and techni&ues

'T control assessment


9/29

www.theiia.org

GTAG$&%hange and 'atch anage!ent %ontrols:

%ritical for rgani*ational +uccess't covers4

Why 'T change and patchmanagement controls are

foundational to a healthy 'Tenvironment

How 'T change and patchmanagement controls helpmanage 'T risks and costs

What works and doesnt work inpractice

1escribes sources of change andthe likely impact on businessob7ectives


10/29

www.theiia.org

GTAG$,%ontinuous Auditing:

I!plications for Assurance- onitoring- and is Assess!ent

't covers4

8ole of continuous auditing intodays internal auditenvironment

8elationship of continuousauditing$ continuous monitoring$and continuous assurance

The application andimplementation of continuousauditing

+enefits of a continuous$integrated approach


11/29

www.theiia.org

GTAG$0anage!ent of IT Auditing

't covers4

1efining 'T

'Trelated 8isks

1efining 'T Audit 5niverse

"#ecuting 'T Auditing

%anaging 'T Auditing

"merging 'ssues


12/29

www.theiia.org

GTAG$#anaging and Auditing 'rivacy iss

't covers4

What is (rivacy

(rivacy (rinciples and

3rameworks (rivacy 'mpacts and 8isk %odel

(rivacy !ontrols

Good and +ad (erformers

'nternal Auditing9s 8ole

Auditing (rivacy

!A"9s Top :; (rivacy


13/29

www.theiia.org

GTAG$1anaging and Auditing IT 2ulnerabilities

't covers4

1efine the vulnerabilitymanagement lifecycle

The scope of a vulnerabilitymanagement audit

6rgani,ational maturity

%etrics to measure

vulnerability managementpractices

Top :; vulnerabilitymanagement &uestions


14/29

www.theiia.org

GTAG$3Infor!ation Technology utsourcing

't covers4 How to choose the right 'T outsourcing

vendor?

What are the best ways to manage

outsourcing contract agreements? What are the main outsourcing risks and

how to mitigate them?

What are the key outsourcing controlconsiderations from the standing pointsof both client operations and service

provider operations? Which is the most effective framework for

establishing outsourcing controls?


15/29

www.theiia.org

GTAG$4 playbac lin available

Auditing Application %ontrols't covers4

What is application control?

What is the relationship betweenapplication control and general

controls?

Why rely on application controls?

How to scope a riskbasedapplication control review?

What are the steps to conduct an

application controls review? A list of key application controls

A sample audit program


16/29

www.theiia.org

GTAG$ 5 playbac lin available

Identity and Access anage!ent't covers4

Insight into what IAM means to anorganization

Access Rights and Entitlement

Provisioning Process Administration of Identities and

Access Rights Process

Use of Technology in IAM

Suggests internal audit areas forinvestigation

Assists AEs and other internalauditors to understand! analyze! andmonitor their organization"s IAM#rocesses

Includes a chec$list for an IAM


17/29

www.theiia.org

GTAG$"6

7usiness %ontinuity anage!ent't covers4 %el# communicate &usiness

continuity ris$ awareness andsu##ort management in its

develo#ment and maintenance of a'M #rogram(

)isaster recovery #lanning forcontinuity of critical informationtechnology infrastructure! and&usiness a##lication systems(

'usiness Im#act Analysis 'usiness Recovery and ontinuity

Strategy )isaster Recovery for IT risis ommunications


18/29

www.theiia.org

GTAG$""

8eveloping the IT Audit 'lan

't covers4 Understanding the organization and

how IT su##orts it(

)e*ning and understanding the ITenvironment(

Identifying the role of ris$assessments in determining the ITaudit universe(

+ormalizing the annual IT audit #lan(


19/29

www.theiia.org

GTAG$"&

Auditing IT 'ro9ects't covers4 ,ey #ro-ect management ris$s( %ow the internal audit activity can

actively #artici#ate in the review of

#ro-ects while maintaininginde#endence(

+ive $ey com#onents of IT #ro-ectsfor internal auditors to considerwhen &uilding an audit a##roach(

Ty#es of #ro-ect audits(

A suggested list of .uestions for usein the IT #ro-ect assessment


20/29

www.theiia.org

GTAG$", raud 'revention ;

8etection in an Auto!ated World

't covers4

Ste#/&y/ste# #rocess for auditing afraud #revention #rogram

An e0#lanation of the various ty#esof data analysis to use in detectingfraud

A technology fraud ris$ assessmenttem#late

playbac lin available


21/29

www.theiia.org

GTAG$"0 playbac lin availableAuditing


22/29

www.theiia.org

GTAG$"#

Infor!ation +ecurity Governance't covers4 )e*ning IS1( %el#ing internal auditors

understand the right .uestions

to as$ and $now whatdocumentation is re.uired(

)escri&ing the internal auditactivity2s 5IAA6 role in IS1(

Ste#s to #lan! test and analyze andaudit of IS1(
http://www.theiia.org/media/images/professional-guidance/GTAG%2015-Cover-SM.jpg


23/29

www.theiia.org

What IIA !e!bers thin of GTAG

GTAG survey tells that4

-n Average- 5&.0= participants

thin GTAG topics are i!portantto their organi*ation.

-n Average- 4"= participantsthin GTAG are useful or veryuseful to their organi*ation.


24/29

www.theiia.org

uture GTAG topics

'T Governance

1ata Analysis Technology

Third (arty 1evelopment =ifecycle


25/29

www.theiia.org

>ow to get GTAG

3ree %"%+"8 download toelectronic copy from ''A technology

websitewww.theiia.org>technology

(urchase printed copy from ''A

+ookstore)52 @ for ''A member*

)52 B; for nonmember*
http://www.theiia.org/technologyhttp://www.theiia.org/technology


26/29

www.theiia.org

GAITGuide to the Assess!ent of IT is

(GAIT) series describes therelationships among business risk$ key

controls within business processes$automated controls and other critical 'Tfunctionality$ and key controls within 'Tgeneral controls. "ach practice guide in

the series addresses a specific aspect of'T risk and control assessments.


27/29

www.theiia.org

GAIT

The GAIT MethodologyPG:

a riskbasedapproach to assessing the scope of 'T generalcontrols as part of managements assessmentof internal control re&uired by 2ection C;C of

26D GAIT for IT General Control Deficiency A

ssessmentPG:an approach for evaluating whether any'TG! deficiencies identified during 2ection C;Cassessments represent material weaknesses orsignificant deficiencies
http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-m/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-m/


28/29

www.theiia.org

GAIT

GAIT for Business and IT RiskPG:

guidance for helping identify the 'T controlsthat are critical to achieving business goals

and ob7ectives

- !ase 2tudies of 5sing GA'T8 to 2cope (!'

!ompliance4 3ollowing the GA'T8 principles and

methodology$ this paper provides two casestudies of applying GA'T8 to (!'compliance.
http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-r/http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-r/


29/29

www.theiia.org

Want to learn !ore

''A (ractice Guide 2eries

%onthly web event free to members

Authors discuss ''A practices guides (layback links available4

http4>>www.theiia.org>guidance>standardsandguidance>practiceguideseries>
http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/

GTAG_Overall1

Documents

Transcript of GTAG_Overall1