Ensuring That the Organization's Information Technology and Business Systems Are Adequately Controlled, Monitored, and AssessedThe organization's management is responsible for preventing and detecting illegal or irregular acts. Although the IS auditor is not qualified to determine whether an irregular, illegal, or erroneous act has occurred, auditors are responsible for assessing the level of risk that irregular and illegal acts might occur. This is accomplished by designing audit procedures that consider the assessed risk level for irregular and illegal acts. The IS auditor then should review the results of audit procedures for indications of such acts. If the IS auditor suspects that these acts have occurred, the auditor must report the finding immediately to the immediate supervisor and possibly corporate governance bodies, such as the board of directors or audit committee. In addition, the IS auditor is responsible for ensuring that management develop, implement, and operate sound internal controls aimed at the protection of private information. The IS auditor should assess the strength and effectiveness of controls designed to protect personally identifiable information within the organization. ISACA'S COBIT FrameworkOther resources available through ISACA are the COBIT resources. COBIT is intended for use by business and IT management as well as IS auditors. Therefore, its use ensures business objectives and the communication of best practices and recommendations are based on a commonly understood and well-respected standard reference. These resources can be used as a source of best-practice guidance. Each of the following is organized by an IT management process, as defined in the COBIT Framework. The COBIT framework provides good practices for the management of IT processes in a manageable and logical structure, meeting the multiple needs of enterprise management by bridging the gaps between business risks, technical issues, control needs, and performance measurement requirements. Auditors will review IS for formal risk-management strategies for systems development and implementation projects, as well as acquisition, development, change management, and implementation of IT applications. COBIT management guidelines are composed of maturity models, critical success factors, key goal indicators, and key performance indicators. COBIT control objectives provide the critical insight needed to delineate a clear policy and good practice for IT controls and incorporate 318 specific, detailed control objectives throughout the 34 high-level control objectives. The COBIT framework provides 11 processes in the management and deployment of IT systems:
COBIT, issued by the IT Governance Institute and now in its third edition, is increasingly internationally accepted as good practice for control over information, IT, and related risks. Its guidance enables an enterprise to implement effective, pervasive, and intrinsic governance over the IT throughout the enterprise. Control Self-AssessmentThe control self-assessment (CSA) is a formal, documented, collaborative process in which management or work teams are directly involved in judging and monitoring the effectiveness of controls. The CSA does not replace an audit, but its main objective is to enhance audit responsibility. A primary benefit derived from an organization that employs control self-assessment (CSA) techniques is that it can identify high-risk areas that might need a detailed review later. The CSA is generally accompanied by workshops in which the IS auditor leads and guides the clients in assessing their environment. This enables auditors to serve as assessment facilitators and shifts some of the control-monitoring responsibilities to the functional areas.
The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator. |