March 2007

Free Guide Series Provides IT Help for Internal Auditors

Now internal auditors and chief audit executives can get information on the latest IT topics and best practices — no IT knowledge or training necessary.

Raquel Filipek
Editor, ITAudit

With the myriad of regulations, frameworks, and compliance best practices in existence, it's not surprising that many internal auditors, audit managers, and chief audit executives (CAEs) may not know where to find the latest IT information and guidance. As more sophisticated viruses, worms, and distributed denial-of-service attacks continue to plague organizations, and data security breaches infiltrate corporate networks, it is more important than ever for internal auditors to provide recommendations that truly address an organization's most pressing IT concerns and problem areas.

Recognizing the need for concise technology guidance for internal auditors of all levels, The IIA created its Global Technology Audit Guide (GTAG) series — a collection of publications written in straightforward business language that address timely IT issues. Since 2005, each GTAG has served as a resource for CAEs, audit managers, and internal auditors who wish to learn more about a specific technology-associated risk and recommended best practices.

WHAT IS GTAG?

Originally developed to help CAEs stay informed on the latest IT changes and controls, each GTAG provides information that can help internal auditors and audit managers understand the current technology issues affecting organizations worldwide. Written by audit practitioners for members of the internal audit community, each GTAG is carefully reviewed by a committee of IIA volunteers and audit professionals in the field to ensure the guides are understandable and useful on a global scale.

"Although there is some technology guidance out there, many internal auditors, especially CAEs, don't have the technology background necessary to understand how a specific IT control or application works," explains Lily Bi, technology practices manager for The IIA. "One of the reasons GTAG was created is to provide high-level technology information from a business point of view that can help internal auditors worldwide become more knowledgeable of the different risks, controls, and governance issues surrounding technology."

However, GTAGs do more than just inform internal auditors of the latest technology trends and issues. They serve as a springboard that can help internal auditors communicate more effectively with different business functions. As Jay R. Taylor, general director of General Motors' Global IT Audit group and the chair of The IIA's Advanced Technology Committee, explains, "Both management and the audit committee have an expectation that internal auditing is providing assurance around all important risks, include those introduced or enabled by the implementation of IT. One of the main goals behind GTAG is to get internal auditors comfortable enough to carry on a conversation with their audit committees and exchange risk and control ideas with their chief information officer (CIO) or IT director."

Each guide exists in both print and online form, and three new GTAG issues are published every year. So far, seven GTAGs have been published discussing issues such as:

  • IT controls.
  • Change and patch management.
  • Continuous auditing.
  • Management of IT auditing.
  • Privacy risks.
  • IT vulnerabilities.
  • IT outsourcing.

Future GTAGs will provide information on topics including IT outsourcing, application controls, identity management, business continuity management, and IT universe and risk management. Regardless of their topic, each GTAG includes an executive summary of the publication, an overview or introduction of the subject area, a definition of key concepts, a risk and controls section, examples of internal audit best practices, and an appendix section with additional information on the subject.

"GTAGs are structured in a way that allows auditors of all levels easy, top-down access to relevant information. This is due in part to the work of GTAG reviewers and IIA volunteers from all over the world who help to ensure this broad, top-down view of information," adds Dr. Ulrich Hahn, an independent audit consultant and writer and one of the main creators of the GTAG series. "A PowerPoint presentation also is available online that summarizes each GTAG and provides easy access to each publication."

Among IIA members, GTAGs are one of the top documents downloaded from the Web site. In addition, nearly 93 percent of GTAG readers think the guides cover topics that are important and useful to their organization. One of the reasons for their growing popularity is their simple approach to IT. "GTAGs offer non-technical information on IT issues for management, internal auditors, and even IT professionals," explains Hahn. "Their content is not too technical to confuse a business executive, while at the same time covering information in sufficient detail and depth."

PUTTING GTAG TO WORK

The GTAG series has made a real difference for companies across the globe. One of these companies is Microsoft, where internal auditors use the guides as part of the CIO's and audit committee's reference toolkit. "At Microsoft, GTAG information has helped shape and guide the discussion, audit scope, and audit procedures covering a specific audit area," says GTAG reviewer Steve Mar, Microsoft's senior director of IT audit. "The GTAG on continuous auditing, for example, helped stakeholders understand who is accountable for which parts of the overall continuous audit and continuous monitoring process."

When using GTAG, Mar recommends that internal auditors get the necessary support from the organization. "Internal auditors should get top-down support from the audit committee, CIO, and CAE when implementing GTAG recommendations and best practices. If the organization has a separate IT auditor, it is also necessary to get the IT auditor on board," he explains.

Other organizations around the world are using GTAG as a technology resource tool. At the Office of the Auditor General (OAG) of Norway, where e-government is being increasingly implemented by agencies as one of the main ways to deliver services to citizens, GTAGs have provided managers and internal auditors with a good overview of which areas to concentrate during an audit as well as the different aspects and risks of using IT.

"The GTAG series has given CAEs as well as internal and external auditors a good introduction to understanding IT risks and how different frameworks fit together in the audit universe," comments Stig J. Sunde, senior audit advisor with OAG Norway's Accounting and IT Audit Methodology Department and the head of the IT Audit Specialty Group of The IIA Norway affiliate. "After reading GTAG, the OAG has been a strong supporter of including IT audit components in all internal reviews and sees the need of increasing the understanding of IT risks among non-IT auditors."

BENEFITS TO THE CAE

CAEs also benefit greatly from using GTAG. "Each GTAG is developed and packaged in such a way that a CAE can read and understand an important IT topic while traveling on an airplane," says Taylor. "So the value of GTAG is practically immeasurable to those busy executives who need to quickly understand a specific IT issue and evaluate its impact on the organization."

According to Taylor, while technical guidance exists that is catered to IT auditors and IT managers, all internal auditors, especially CAEs, need to have a certain level of IT understanding to be effective. "Given the broad responsibility of CAEs, their needs are at a more strategic and enterprise level. The GTAG series enables CAEs to choose whether they want a broad overview on a hot topic or prefer to drill down into a discussion of risk management and controls assessment," Taylor adds.

At OAG of Norway, Sunde and his team started noticing an increased understanding of IT risks among CAEs. "As CAEs learned more about technology and its related risks, this understanding cascaded down into the organization and auditors," he says. "However, just sticking a GTAG in the hands of CAEs will not make them read it. The learning effect is much more significant, especially for busy CAEs, when you sit down together over time and review the information. In addition, as CAEs start to ask questions about IT risks, non-IT auditors also start to understand what these risks are."

WHERE TO FIND THEM

For more information on GTAG, auditors can visit The IIA's Information Technology Web page. Besides general information on the guide series, visitors can access the GTAG overview PowerPoint presentation (PPT, 475 KB), which provides an overview of the GTAG series, its target audience, and the current guides published to date. A PDF version of GTAGs one through seven also is available free of charge on The IIA Web site. To access each guide, click on the links below:

In the future, all GTAGs will be translated into Spanish and French as part of The IIA translation initiative. Currently, GTAG 1 has been translated into Norwegian and Spanish. To obtain a copy of GTAG 1 in Spanish and Norwegian, visit The IIA–Spain and The IIA–Norway Web sites.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 

 Write for Gaming Auditorium

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP