www.theiia.org
Agenda
www.theiia/guidance/ippf.org
2
Who am I?
Background
• Jobbet med revisjon siden 1997
(Dipl. IR, CIA, CCSA, CISA)
Education
• Master of Management fra BI
(m.m)
Position
• Senior Audit Manager i Group
Internal Audit (GIA) - Nordea
3
www.theiia/guidance/ippf.org
International Professional
Practices Framework
International
Professional
Practices
Framework
www.theiia.org
AUTHORITATIVE Guidance
5
www.theiia/guidance/ippf.org
The Professional Issues Committee (PIC)
Should:
www.theiia/guidance/ippf.org
Scope
PIC has primary responsibility for:
7
www.theiia/guidance/ippf.org
IIA Guidance
www.globaliia.org/standards-guidance
8
www.theiia/guidance/ippf.org
Practice Guides
9
www.theiia/guidance/ippf.org
Practice Guides — General
1. Quality Assurance and Improvement Program
2. Coordinating Risk Management and Assurance
3. Reliance by Internal Audit on Other Assurance Providers
4. Independence and Objectivity
5. Interaction with the Board
6. Auditing the Control Environment
7. Assisting Small Internal Audit Activities in Implementing the IPPF
8. Assessing the Adequacy of Risk Management Using ISO 31000
9. Measuring Internal Audit Effectiveness and Efficiency
10.Chief Audit Executives — Appointment, Performance, Evaluation,
and Termination
11.Auditing Executive Compensation and Benefits
12.Evaluating Corporate Social Responsibility/Sustainable
Development - Formulating and Expressing Internal Audit Opinions
13.Auditing External Business Relationships
14.Internal Auditing and Fraud
10
www.theiia/guidance/ippf.org
Global Technology Audit Guide (GTAG) series
Background:
11
www.theiia/guidance/ippf.org
Global Technology Audit Guide (GTAG) series
12
www.theiia/guidance/ippf.org
Who is GTAG target audience?
www.theiia/guidance/ippf.org
GTAG-1
Information Technology Risk
and Controls (New edition)
It covers:
• Understanding of IT risks and
controls
• Importance of IT controls
• Organizational roles and
responsibilities for ensuring IT
controls
• Analyzing risks
• Monitoring and techniques
• IT risk and control
assessment
www.theiia/guidance/ippf.org
GTAG-2
Change and Patch Management Controls:
Critical for Organizational Success (New edition)
It covers:
Why IT change and patch
management controls are
foundational to a healthy IT
environment
How IT change and patch
management controls help
manage IT risks and costs
What works and doesn’t work in
practice
Describes sources of change and
the likely impact on business
objectives
www.theiia/guidance/ippf.org
GTAG-3 (Update Coming Soon)
Continuous Auditing:
Implications for Assurance, Monitoring, and Risk Assessment
It covers:
Role of continuous auditing in
today’s internal audit
environment
Relationship of continuous auditing,
continuous monitoring, and
continuous assurance
The application and implementation
of continuous auditing
Benefits of a continuous, integrated
approach
www.theiia/guidance/ippf.org
GTAG-4 (Update Coming Soon)
Management of IT Auditing
It covers:
Defining IT
IT-related Risks
Defining IT Audit Universe
Executing IT Auditing
Managing IT Auditing
Emerging Issues
www.theiia/guidance/ippf.org
GTAG-5 (Update coming soon)
Managing and Auditing Privacy Risks
It covers:
What is Privacy
Privacy Principles and Frameworks
Privacy Impacts and Risk Model
Privacy Controls
Good and Bad Performers
Internal Auditing's Role
Auditing Privacy
CAE's Top 10 Privacy Questions
www.theiia/guidance/ippf.org
GTAG-6 (To be merged with GTAG 4)
Managing and Auditing IT Vulnerabilities
It covers:
Define the vulnerability
management lifecycle
The scope of a vulnerability
management audit
Organizational maturity
Metrics to measure vulnerability
management practices
Top 10 vulnerability
management questions
www.theiia/guidance/ippf.org
GTAG-7 (Update coming soon)
Information Technology Outsourcing
It covers:
How to choose the right IT outsourcing
vendor?
What are the best ways to manage
outsourcing contract agreements?
What are the main outsourcing risks and
how to mitigate them?
What are the key outsourcing control
considerations from the standing points
of both client operations and service
provider operations?
Which is the most effective framework for
www.theiia/guidance/ippf.org
GTAG-8
Auditing Application Controls
It covers:
What is application control?
What is the relationship between
application control and general
controls?
Why rely on application controls?
How to scope a risk-based application
control review?
What are the steps to conduct an
application controls review?
A list of key application controls
A sample audit program
www.theiia/guidance/ippf.org
GTAG-9
Identity and Access Management
It covers:
Provide insight into what IAM means to
an organization.
Suggest internal audit areas for
investigation
Assist CAEs and other internal auditors
to understand, analyze, and monitor
their organization's IAM processes
Provides a checklist for IAM review
www.theiia/guidance/ippf.org
GTAG-10
Business Continuity Management
It covers:
Provide help to the CAE in
communicating business continuity
risk awareness
Support management in its
development and maintenance of a
BCM program.
Disaster recovery planning for
continuity of critical information
technology infrastructure and
business application systems.
www.theiia/guidance/ippf.org
GTAG-11
Developing the IT Audit Plan
It covers:
Understanding the organization and
how IT supports it.
Define and understand the IT
environment.
Identify the role of risk assessments in
determining the IT audit universe
Establishing the annual IT audit plan
An example to show how to execute
the steps necessary to define the IT
audit universe.
www.theiia/guidance/ippf.org
GTAG-12
Auditing IT projects
It covers:
Key project management risks.
How the internal audit activity can
actively participate in the review of
projects while maintaining
independence.
Five key components of IT projects for
internal auditors to consider when
building an audit approach.
Types of project audits.
A suggested list of questions for use in
the IT project assessment.
www.theiia/guidance/ippf.org
GTAG-13
Fraud Prevention and Detection in
an Automated World
It covers:
Guidance to chief audit executives and
internal auditors on how to use
technology to help prevent, detect,
and respond to fraud.
A step-by-step process for auditing a
fraud prevention program.
An explanation of the various types of
data analysis to use in detecting
fraud
A technology fraud risk assessment
template
www.theiia/guidance/ippf.org
GTAG-14
Auditing User-developed
Applications (UDAs)
It covers:
Direction on how to scope an internal
audit of UDAs.
Guidance for how the internal auditor’s
role as a consultant can be leveraged to
assist management with developing an
effective UDA control framework.
Considerations that internal auditors
should address when performing UDA
audits.
A sample UDA process flow as well as a
UDA internal audit program and
supporting worksheets to help internal
auditors organize and execute an audit.
www.theiia/guidance/ippf.org
GTAG-15
Information Security Governance
(ISG)
It covers:
Defining ISG.
a process to assist the CAE in
incorporating an audit of information
security governance (ISG) into the
audit plan
Helping internal auditors understand
the right questions to ask and know
what documentation is required.
Describing the internal audit activity’s
(IAA) role in ISG.
www.theiia/guidance/ippf.org
GTAG-16
Data Analysis Technologies
It covers:
Understand why data analysis is
significant.
Know how to provide assurance more
efficiently with the use of data
analysis technology.
implementing data analysis technology
within your department.
Know how to incorporate data analysis
at your organisation.
Recognize opportunities, trends, and
advantages of making use of data
analysis technology.
www.theiia/guidance/ippf.org
How to get GTAG?
www.theiia/guidance/ippf.org
QUESTIONS
31 www.theiia/guidance/ippf.org