The IT and Information Security (IS) topic will inevitably appear on the risks registers and internal audit universes of most London Market insurers, branches and intermediaries. A lot of internal audit teams will have dedicated specialist resource but many won’t have. Possible solutions are:
- Outsource or co-source to an external provider – this will be very expensive and no guarantee of internal audit quality
- Recruit dedicated resource such as a CISA (Certified Information Systems Auditor) qualified and experienced IT/IS internal auditor – this is probably the most optimal solution but such personnel are difficult to source and will likely be an outlier for their salary package compared to other members of the IA team
- Co-source from Group Internal Audit where the local IA team leads the audit and has technical support from the Group IA function
- Co-source with the local IT function where the local IA team leads the audit using a standard ITGC audit program and has technical support from the IT function. The remainder of this blog focuses on the practical application of this final option.
ITGC
The objectives of ITGCs are to ensure the integrity of the data and processes that the systems support. The most common ITGCs are as follow:
- Logical access controls over applications, data and supporting infrastructure
- Program change management controls
- Backup and recovery controls
- Computer operation controls
- Data centre physical security controls
- System development life cycle controls
A great starting point is Global Technology Audit Guide (GTAGs). This GTAG helps the Head of IA and their teams keep pace with the ever-changing and sometimes complex world of information technology (IT). By providing an overview of IT-related risks and controls written in a reader-friendly style for business executives, rather than the highly technical language, both senior management and the audit committee have an expectation that the internal audit activity will provide assurance around all important risks.
The goal of the first GTAG is to help internal auditors become more comfortable with general IT controls so they can confidently communicate with their audit committee and exchange risk and control ideas with the chief information officer (CIO) and IT management. This GTAG describes how members of governing bodies, executives, IT professionals, and internal auditors address significant IT-related risk and control issues and presents relevant frameworks (INTERNAL AUDIT PROGRAMS) for assessing IT risk and controls. Moreover, it sets the stage for subsequent GTAGs that cover specific IT topics and associated business roles and responsibilities in greater detail.
To date, the Institute of Internal Auditors (IIA) has released GTAGs on the following topics:
- GTAG 1: Information Technology Controls
- GTAG 2: Change and Patch Management Controls: Critical for Organizational Success
- GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
- GTAG 4: Management of IT Auditing
- GTAG 5: Managing and Auditing Privacy Risks
- GTAG 6: Managing and Auditing IT Vulnerabilities
- GTAG 7: Information Technology Outsourcing
- GTAG 8: Auditing Application Controls
- GTAG 9: Identity and Access Management
- GTAG 10: Business Continuity Management
- GTAG 11: Developing the IT Audit Plan
- GTAG 12: Auditing IT Projects
- GTAG 13: Fraud Prevention and Detection in the Automated World
- GTAG 14: Auditing User-developed Applications
- GTAG 15: Formerly Information Security Governance–Removed and combined with GTAG 17
- GTAG 16: Data Analysis Technologies
- GTAG 17: Auditing IT Governance
- GTAG: Auditing insider threat programmes
- GTAG: Auditing smart devices
- GTAG: Assessing cybersecurity risk
- GTAG: IT change management, 3rd edition
(replaces GTAG02: Change and patch management controls) - GTAG: IT essentials for internal auditors
- GTAG: Understanding and auditing big data
The complete document suite can be found at https://www.iia.org.uk/ although we have provided GTAG 1 at GTAG 1 – Information Technology Controls