The Importance of Using Standards in Compliance Auditing

There is no shortage of frameworks and standards for IT departments and auditors to rely on. There are many different standards from varying organizations, each with its own strengths and weaknesses. However, they all have the same common goal of establishing prudent and good practices around IT control. Many organizations find that they need to use a blend of standards to accomplish their goals. Auditors tend to focus or specialize on particular standards, yet many organizations may seek an audit or assessment against a particular standard. Many organizations, in the beginning, look to their peers and to auditors for what framework and standards they should be using. It is important, however, to consider the needs of the specific organization.

While trying to determine a specific standard to which to adhere, it is helpful to consider the high-level differences among them. Consider the following attributes that vary among different standards and frameworks:

  • Depth and breadth—Some go far and wide, whereas others are narrow and deep. Guiding principles that cover a wide range might be most suitable to your organization. Alternatively, more prescriptive guidance around describing and assessing actual controls might be helpful.

  • Flexibility—One standard might apply across the entire organization, whereas another might be limited to a specific department or team.

  • Reasoning—Some standards provide stronger guidance about why they make a particular statement around controls. Sometimes, the reasoning can be important, as those put in place and auditing controls understand how and why they apply.

  • Prioritization—Although each organization determines acceptable risk, some standards can provide guidance for focusing on certain areas over others.

  • Industry acceptance—Some standards are generally accepted more than others. Acceptance also varies by industry.

Standards and frameworks are closely tied to the previous discussion of policies and standards. A framework should offer IT organizations a method for establishing an approach to managing IT risks. The use of a framework combined with an analysis of risk helps guide the development of appropriate written policies and standards within the organization. A high-level control from a framework might state, for example, that systems should be protected from unauthorized access. As a result, an organization develops several policies that pertain to enforcing authorized access to its systems. One such policy states that individuals are assigned unique user names and passwords for the system. In turn, a standard may dictate specific parameters—for example, usernames must follow the format of first initial preceded by last name and be at least eight alpha-numeric characters. Finally, a procedure indicates how to apply the requirements on a particular system.

Clearly documented policies, standards, and procedures provide auditors with an obvious path upon which to base their audits. An unclearly documented policy structure makes the auditor’s and auditee’s jobs much more difficult. Audits go more smoothly when both parties work from closely aligned frameworks and accepted practices. If, for example, an auditor discovers a lack of clear policies, a standard provides a solid baseline on which to base the findings. For example, an audit deficiency that states that password security should “be stronger” is less powerful than one that states that password requirements aren’t up to a specific standard or best practice.

Auditing against standards works best when the auditor and the organization agree on a specific standard. Organizations first select frameworks most appropriate to their business. Then it is the auditor’s job to evaluate whether the company-selected standard is reasonable. The auditor must assess against the standard. This is one reason why most companies go with recognized and mature standards. The following are some key recommendations when selecting a standard:

  • Select a standard that can be followed—This allows the standards to be more easily put in place. It also allows others within the organization and auditors to embrace the standards.

  • Employ the standard—This reduces liability for having selected a specific standard that is not actually put into place.

  • Select a flexible standard—This provides the organization the ability to remain responsive to changing business environments and consider its own risk profile.

In the next sections, you’ll learn about different frameworks and standards. Standards are relevant to the individuals and groups within the organization. Figure 4-1 illustrates the hierarchy of governance and controls. The diagram includes sample standards as well as the people to which they apply.

A figure showing the hierarchy of standards and personnel.

FIGURE 4-1 The hierarchy of standards and personnel.

Description

Following are the high-level steps an organization may take to apply the use of standards:

  • Educate personnel, beginning with senior management.

  • Choose the standards that the organization will follow.

  • Put the people in place and provide the needed resources to apply and meet the standard.

  • Confirm the standards are being met by using an internal audit and outside resources as needed.

Institute of Internal Auditors

The Institute of Internal Auditors (IIA) provides internal auditors with standards and guidance on how to perform an audit. The IIA standards are not technology-audit specific and can be applied to any audit or assessment such as accounting or business audits.

The IIA standards are important as they establish core principles the auditor must follow. These principles and supporting standards ensure the highest professionalism from the auditor:

  • Demonstrates integrity

  • Demonstrates competence and due professional care

  • Is objective and free from undue influence (independent)

  • Aligns with the strategies, objectives, and risks of the organization

  • Is appropriately positioned and adequately resourced

  • Demonstrates quality and continuous improvement

  • Communicates effectively

  • Provides risk-based assurance

  • Is insightful, proactive, and future-focused

  • Promotes organizational improvement

The standards include a code of ethics that set professional requirements outlined in an International Professional Practices Framework. All IIA members and certified internal auditors are required to conform to the standards and code of ethics.

The internal audit function assures your board of directors, audit committee, and other stakeholders that risks are appropriately and reasonably controlled. The IIA standards assure that the audits and assessments are performed to the highest standards possible. In sum, the IIA standards provide the auditor function with credibility.

The IIA standard provides useful guidance on how to avoid conflicts of interest. For example, suppose an auditor is asked to provide advice on how to control a specific risk for an application under development. An auditor with broad risk knowledge would potentially have valuable insights to offer, yet once given, should that same auditor be allowed to audit that application? In other words, by giving advice would could an auditor be expected to fairly audit his or her work?! IIA standard 1130 provides such guidance as follows:

The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.

The conflict of interest is just one of many situations auditors may find themselves in. This specific example is given to illustrate the power of having clear standards that can help auditors understand the rules and expectations of their role. Care should always be taken during the audit planning process to ensure the situation could not be perceived as an impairment of independence or objectivity.

COBIT

While the IIA standards set clear audit standards and frameworks, they lack specific details on how to audit and assess technology. The Control Objectives for Information and Related Technology (COBIT) is a global standard and IT management framework developed by the ISACA to help businesses develop, organize and implement, manage, and audit the organization’s IT environment.

COBIT offers an IT-specific framework and is an excellent supplement to COSO and adheres to IIA guidance. COBIT provides corporate management, IT management, and auditors with an accepted set of processes and controls to develop IT governance and control within an organization. Specifically, COBIT allows IT management to develop clear policies and apply good practices. COBIT even considers other standards as it seeks to be the overarching IT governance framework. COBIT is business-focused, process-oriented, controls-based, and measurement-driven. COBIT considers risk and stays close to the business by focusing on the benefits associated with IT. COBIT helps to align IT with the business or enterprise requirements by doing the following:

  • Mapping controls to key business requirements

  • Classifying IT activities into a process model

  • Identifying the key IT resources to be controlled

  • Defining the framework for control objectives

By providing enterprise-focused alignment, management can better understand what IT does. In addition, COBIT provides additional benefits:

  • Clear accountability and responsibility

  • Acceptance from third parties, auditors, and regulators

  • Fulfillment of COSO requirements concerning the IT control environment

COBIT serves as a valuable framework across different groups. For example, management can use COBIT to assess the performance of IT processes by comparing enterprise goals against the IT-related goals. Both types of goals are provided within COBIT. Those implementing COBIT as well as auditors can leverage the control requirements and assigned responsibilities from within COBIT.

COBIT 2019 is an IT management framework to help organizations develop, organize, and implement strategies related to the common practices of information management and governance. The performance management system allows more flexibility when using maturity and capability measurements. The core principles contained within COBIT 2019 are listed below and on the next page. Each of these principles should be embedded in various IT controls and processes that an auditor can exam.

Before looking at the framework in-depth, let’s first explore some of the principles of COBIT 2019, as follows:

  1. Provide Stakeholder Value

  2. Holistic Approach

  3. Dynamic Governance System

  4. Governance Distinct from Management

  5. Tailored to Enterprise Needs

  6. End-to-End Governance System

Provide Stakeholder Value

The principle to “provide stakeholder value” largely addresses two important ideas:

  • IT functions exist to help an organization achieve its goals while minimizing risks. Technology for technology’s sake is meaningless. In other words, using technology to achieve an organization’s goal provides stakeholder value. So who is the stakeholder? In this context, a stakeholder is anyone with a vested interest in the organization’s success. For example, a customer holding an insurance policy is a stakeholder because they rely on the health of the company to pay out on claims when needed. A shareholder is a stakeholder because they hope the company will make a profit. Management is a stakeholder because they rely on IT systems to accurately implement their business objectives.

  • Value that is created must be done so in a way that also considers risk and the appropriate use of resources. Therefore, the enterprise goals must be aligned properly to IT resources.

To help with this alignment, consider the following when implementing IT systems:

  • Benefits realization

  • Risk optimization

  • Resource optimization

Based on the needs, you can then map enterprise goals to determine which goals are primary or secondary. COBIT 2019 provides 17 sample goals across the following four dimensions:

  • Financial

  • Customer

  • Internal

  • Learning and growth

For example, the following are the five sample enterprise goals in the internal dimension:

  • Optimization of business process functionality

  • Optimization of business process costs

  • Managed business change programs

  • Operational and staff productivity

  • Compliance with internal policies

Finally, these IT-related goals cascade down to what is known as enabler goals. Enablers are things such as processes or people. The enablers influence the outcomes and help accomplish goals.

Holistic Approach

The principle of a holistic approach refers to the importance of looking at how all the IT processes and components come together. Components can be defined in various ways. At a high level, consider the following components and how they come together to deliver IT services:

  • Principles, policies, and frameworks

  • Processes

  • Organizational structures

  • Culture, ethics, and behavior

  • Information

  • Services, infrastructure, and applications

  • People, skills, and competencies

Finally, a performance-management component is baked into this. Based on metrics, this determines if using the enablers is having a positive outcome.

Dynamic Governance System

The principle of dynamic governance is a simple and powerful concept that focuses on change. Change is said to be the one constant in IT. Think about how the Internet itself has enabled change. The remote work environment was a key enabler during the 2020 pandemic to connect workers to the office. The Internet allows us to talk with individuals around the world to exchange ideas and information and to buy products and services. It has increased competition and made certain products, once rare, now affordable. We’ve automated factories as well as improved safety systems in ordinary products, such as computerized alarm systems to prevent anyone from breaking into our homes. Common place in our work environments is an array of applications that give instant access to knowledge that would have been difficult or impossible to gain previously. This is not just accessing information but allowing us to collaborate and create new bodies of knowledge through commonplace applications like email, spreadsheets, personal databases, and word processing software.

Dynamic governance is the recognition that business requirements, technology, and risks are under constant changes. Consequently, IT governance must be dynamic and adjust to the constantly changing landscape.

Governance Distinct from Management

The principle that “governance [is] distinct from management.” COBIT makes a strong statement on the differences between governance and management. This is because they differ greatly and each ultimately serves a different purpose. According to COBIT 2019, governance ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision-making; and then monitoring performance and compliance against agreed-on direction and objectives.

On the other hand, management runs day-to-day activities. Management builds, runs, and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. Governance and management are complementary disciplines. Governance guides management and the collective activities of management to achieve organizational goals. As a result, governance tends to take a longer view of outcomes, while management tends to take a more tactical view with a focus on execution. Both are critical to an organization’s success. Plenty of resources are available to enable and implement COBIT 2019 and these principles. These principles are included in the ISACA’s COBIT 2019 Implementation professional guide.

Tailored to Enterprise Needs

The principle of “tailored to enterprise needs” goes back to the idea that one size does not fit all! All organizations are unique and often have different goals, objectives, and measurements of success. For example, an emerging technology start-up company may be willing to take on more risks to break into a new market. But a health care company must minimize risks that could result in harm to their patients.

As a framework, COBIT covers IT governance requirements for many industries. The key is to understand a framework that establishes broad requirements that must be tailored to each company’s needs. We tailor by setting the risk appetite of the company through a deep understanding of risks and competing drivers, and as a result, IT priorities can be set.

Not all business risks can be eliminated, but they can be reduced. Often through technology, the business can balance several competing drivers. Some of these drivers include the following:

  • Keep costs low while keeping customer satisfaction high

  • Meet legal obligations

End-to-End Governance System

The principle of “end-to-end governance” means not to look at technology oversight in isolation. It is this collective view of the process steps and its reliance on technology that provides the best view of risk. If you look at technology in isolation, you can lose business context. For instance, assume you are assessing customer privacy based on regulatory mandates. If you follow the process, you can identify risks during the hand-off between the business rules on handling customer data and how technology systems enforce those rules by limiting access. Both require effective governance. Looking at both governance processes as an end-to-end process provides a holistic view as described previously.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.9.223