Global Technology Audit Guide

The Institute of Internal Auditors

(www.theiia.org/technology)

www.theiia.org

This presentation covers:

What is GTAG?
Who is GTAG target audience?
Who are involved the GTAG
development?
How many guides have been
published?
What members think of GTAG series?
What are the future GTAG topics?
How to get GTAG?
www.theiia.org

What is GTAG?
GTAG - Global Technology Audit Guide
To provide easy-to-understand
information technology audit guides to
Chief Audit Executives, Audit
Committees and Executive Management
To provide a mechanism to quickly
address new IT Issues
To produce technical audit guides on a
global scale
www.theiia.org

Who is GTAG target audience?

Primary target - Chief Audit Executive (CAE)

Many CAEs face the challenge to understand technology,

which is necessary to plan and conduct internal audit.
CAEs are not well-served by many existing guides, such
as CoBIT, which tend to target technical IT auditor and
IT management
Given the broad responsibility of CAEs, GTAG series
provide them a high level overview on risk management
and control related to IT.
GTAG is practically immeasurable to busy executives who
need to quickly understand technology issues and
evaluate the impact on their organization.

www.theiia.org

Who are involved in GTAG

development?
Advanced Technology Committee select
topics based on the members needs; oversee
development of guides and develop contents
Partners with other professional organization
broaden audience for guides and contribute to
content
AICPA, NACD, CIS, FEI, ISSA, Sans Institute,
Carnegie Mellon SEI

IIA global affiliates participate the reviewing

process
www.theiia.org

15 GTAGs published

GTAG-1: IT Controls (2005)

GTAG-2: Change and Patch Management Controls (2005)

GTAG-3: Continuous Auditing (2005)

GTAG-4: Management of IT Auditing (2006)

GTAG-5: Managing and Auditing Privacy Risks (2006)

GTAG-6: Managing and Auditing IT Vulnerabilities (2006)

GTAG-7: Information Technology Outsourcing (2007)

GTAG-8: Auditing Application Controls (2007)

www.theiia.org

15 GTAGs published

GTAG-9: Identity and Access Management (2007)

GTAG-10: Business Continuity Management (2008)

GTAG-11: Developing the IT Audit Plan (2008)

GTAG-12: Auditing IT Projects (2009)

GTAG-13: Fraud Prevention & Detection in an Automated World(2009)

GTAG-14: Auditing User-developed Applications (2009)

GTAG-15: Information Security Governance (2009)

www.theiia.org

GTAG-1
Information Technology Controls
It covers:
Understanding of IT controls
Importance of IT controls
Organizational roles and
responsibilities for ensuring IT
controls
Analyzing risks
Monitoring and techniques
IT control assessment

www.theiia.org

GTAG-2

Change and Patch Management Controls:

Critical for Organizational Success

It covers:
Why IT change and patch
management controls are
foundational to a healthy IT
environment
How IT change and patch
management controls help
manage IT risks and costs
What works and doesnt work in
practice
Describes sources of change and
the likely impact on business
objectives
www.theiia.org

GTAG-3

Continuous Auditing:

Implications for Assurance, Monitoring, and Risk Assessment

It covers:
Role of continuous auditing in
todays internal audit
environment
Relationship of continuous
auditing, continuous monitoring,
and continuous assurance
The application and
implementation of continuous
auditing
Benefits of a continuous,
integrated approach
www.theiia.org

GTAG-4

Management of IT Auditing
It covers:

Defining IT
IT-related Risks
Defining IT Audit Universe
Executing IT Auditing
Managing IT Auditing
Emerging Issues

www.theiia.org

GTAG-5

Managing and Auditing Privacy Risks

It covers:
What is Privacy
Privacy Principles and
Frameworks
Privacy Impacts and Risk Model
Privacy Controls
Good and Bad Performers
Internal Auditing's Role
Auditing Privacy
CAE's Top 10 Privacy Questions

www.theiia.org

GTAG-6

Managing and Auditing IT Vulnerabilities

It covers:

Define the vulnerability

management lifecycle
The scope of a vulnerability
management audit
Organizational maturity
Metrics to measure
vulnerability management
practices
Top 10 vulnerability
management questions
www.theiia.org

GTAG-7

Information Technology Outsourcing

It covers:

How to choose the right IT outsourcing

vendor?
What are the best ways to manage
outsourcing contract agreements?
What are the main outsourcing risks and
how to mitigate them?
What are the key outsourcing control
considerations from the standing points
of both client operations and service
provider operations?
Which is the most effective framework for
establishing outsourcing controls?

www.theiia.org

GTAG-8
playback link available
Auditing Application Controls
It covers:
What is application control?
What is the relationship between
application control and general
controls?
Why rely on application controls?
How to scope a risk-based
application control review?
What are the steps to conduct an
application controls review?
A list of key application controls
A sample audit program

www.theiia.org

GTAG- 9 playback link available

Identity and Access Management
It covers:
Insight into what IAM means to an
organization
Access Rights and Entitlement
Provisioning Process
Administration of Identities and
Access Rights Process
Use of Technology in IAM
Suggests internal audit areas for
investigation
Assists CAEs and other internal
auditors to understand, analyze, and
monitor their organization's IAM
processes
Includes a checklist for an IAM
www.theiia.org

GTAG-10
Business Continuity Management
It covers:
Help communicate business
continuity risk awareness and
support management in its
development and maintenance of a
BCM program.
Disaster recovery planning for
continuity of critical information
technology infrastructure, and
business application systems.
Business Impact Analysis
Business Recovery and Continuity
Strategy
Disaster Recovery for IT
Crisis Communications
www.theiia.org

GTAG-11
Developing the IT Audit Plan
It covers:
Understanding the organization and
how IT supports it.
Defining and understanding the IT
environment.
Identifying the role of risk
assessments in determining the IT
audit universe.
Formalizing the annual IT audit plan.

www.theiia.org

GTAG-12
Auditing IT Projects
It covers:
Key project management risks.
How the internal audit activity can
actively participate in the review of
projects while maintaining
independence.
Five key components of IT projects
for internal auditors to consider
when building an audit approach.
Types of project audits.
A suggested list of questions for use
in the IT project assessment

www.theiia.org

GTAG-13 Fraud Prevention &

Detection in an Automated World
It covers:
Step-by-step process for auditing a
fraud prevention program
An explanation of the various types
of data analysis to use in detecting
fraud
A technology fraud risk assessment
template
playback link available

www.theiia.org

GTAG-14 playback link available

Auditing User-developed Applications

It covers:
Direction on how to scope an
internal audit of UDAs.
Guidance for how the internal
auditors role as a consultant can be
leveraged to assist management
with developing an effective UDA
control framework.
Considerations that internal auditors
should address when performing
UDA audits.
A sample UDA process flow as well
as a UDA internal audit program and
supporting worksheets to help
internal auditors organize and
execute an audit.
www.theiia.org

GTAG-15
Information Security Governance
It covers:
Defining ISG.
Helping internal auditors
understand the
right questions
to ask and know what
documentation is required.
Describing the internal audit
activitys (IAA) role in ISG.
Steps to plan, test and analyze and
audit of ISG.

www.theiia.org

What IIA members think of GTAG?

GTAG survey tells that:

On Average, 92.4% participants
think GTAG topics are important
to their organization.
On Average, 81% participants
think GTAG are useful or very
useful to their organization.

www.theiia.org

Future GTAG topics

IT Governance
Data Analysis Technology
Third Party Development Lifecycle

www.theiia.org

How to get GTAG?

Free MEMBER download to
electronic copy from IIA technology
website
www.theiia.org/technology

Purchase printed copy from IIA

Bookstore
(US$ 25 for IIA member)
(US$ 30 for non-member)
www.theiia.org

GAIT
Guide to the Assessment of IT Risk
(GAIT) series describes the
relationships among business risk, key
controls within business processes,
automated controls and other critical IT
functionality, and key controls within IT
general controls. Each practice guide in
the series addresses a specific aspect of
IT risk and control assessments.
www.theiia.org

GAIT
The GAIT Methodology PG: a risk-based
approach to assessing the scope of IT general
controls as part of managements assessment
of internal control required by Section 404 of
SOX
GAIT for IT General Control Deficiency A
ssessment
PG: an approach for evaluating whether any
ITGC deficiencies identified during Section 404
assessments represent material weaknesses or
significant deficiencies
www.theiia.org

GAIT
GAIT for Business and IT Risk PG:
guidance for helping identify the IT controls
that are critical to achieving business goals
and objectives
Case Studies of Using GAIT-R to Scope PCI
Compliance
: Following the GAIT-R principles and
methodology, this paper provides two case
studies of applying GAIT-R to PCI
compliance.
www.theiia.org

Want to learn more?

IIA Practice Guide Series

Monthly web event free to members
Authors discuss IIA practices guides
Playback links available:
http://www.theiia.org/guidance/standar
ds-and-guidance/practice-guide-series/

www.theiia.org