Purpose:

Continuously monitor and evaluate the control environment, including self-assessments and independent assurance reviews. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and assurance activities.

Objective:

Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.

Description:

<?>

Inputs:

  • Results of third-party risk assessments
  • ISMS audit reports
  • Compliance audit results
  • Reviews of operational use
  • Root causes of quality delivery failures
  • Risk-related root causes
  • Root cause analyses and recommendations
  • Results of processing effectiveness reviews
  • Evidence of error correction and remediation
  • Program audit plans
  • Independent assurance plans
  • Root causes of quality delivery failures
  • Risk-related root causes
  • Root cause analyses and recommendations
  • Reports of non-compliance issues and root causes
  • Root causes of quality delivery failures
  • Risk analysis and risk profile reports for stakeholders
  • Risk-related root causes
  • Results of penetration tests
  • Root cause analyses and recommendations
  • Identified compliance gaps

Outputs:

  • Results of internal control monitoring and reviews
  • Results of benchmarking and other evaluations
  • Evidence of control effectiveness
  • Self-assessment plans and criteria
  • Results of self-assessments
  • Results of reviews of self-assessments
  • Control deficiencies
  • Remedial actions
  • Results of assurance provider evaluations
  • High-level assessments
  • Assurance plans
  • Assessment criteria
  • Assurance review scope
  • Engagement plan
  • Assurance review report
  • Refined scope
  • Assurance review results
  • Assurance review report

Controls:

  • Industry standards and good practices
  • <?>

Task Instructions:

Monitor Internal Controls

    1. Perform internal control monitoring and evaluation activities based on organizational governance standards and industry-accepted frameworks and practices. Include monitoring and evaluation of the efficiency and effectiveness of managerial, supervisory reviews.

    2. Consider independent evaluations of the internal control system (e.g., by internal audit or peers).

    3. Identify the boundaries of the IT internal control system (e.g., consider how organizational IT internal controls take into account outsourced and/or offshore development or production activities).

    4. Ensure that control activities are in place and exceptions are promptly reported, followed up and analyzed, and appropriate corrective actions are prioritized and implemented according to the risk management profile (e.g., classify certain exceptions as a key risk and others as a non-key risk).

    5. Maintain the IT internal control system, considering ongoing changes in business and IT risk, the organizational control environment, relevant business and IT processes, and IT risk. If gaps exist, evaluate, and recommend changes.

    6. Regularly evaluate the performance of the IT control framework, benchmarking against industry-accepted standards, and good practices. Consider the formal adoption of a continuous improvement approach to internal control monitoring.

    7. Assess the status of external service providers’ internal controls and confirm that service providers comply with legal and regulatory requirements and contractual obligations.

Review Business Process Controls Effectiveness

    1. Understand and prioritize risk to organizational objectives.

    2. Identify key controls and develop a strategy suitable for validating controls.

    3. Identify information that will persuasively indicate whether the internal control environment is operating effectively.

    4. Develop and implement cost-effective procedures to determine that persuasive information is based on the information criteria.

    5. Maintain evidence of control effectiveness.

Perform Control Self-Assessments

    1. Maintain plans and scope and identify evaluation criteria for conducting self-assessments. Plan the communication of results of the self-assessment process to business, IT and general management and the board. Consider internal audit standards in the design of self-assessments.

    2. Determine the frequency of periodic self-assessments, considering the overall effectiveness and efficiency of ongoing monitoring.

    3. Assign responsibility for self-assessment to appropriate individuals to ensure objectivity and competence.

    4. Provide for independent reviews to ensure the objectivity of the self-assessment and enable the sharing of internal control good practices from other enterprises.

    5. Compare the results of the self-assessments against industry standards and good practices.

    6. Summarise and report outcomes of self-assessments and benchmarking for remedial actions.

    7. Define an agreed-on, consistent approach for performing control self-assessments and coordinating with internal and external auditors.

Identify and Report Control Deficiencies

    1. Identify, report, and log control exceptions, and assign responsibility for resolving them and reporting on the status.

    2. Consider related enterprise risk to establish thresholds for escalation of control exceptions and breakdowns.

    3. Communicate procedures for escalation of control exceptions, root cause analysis, and reporting to process owners and IT stakeholders.

    4. Decide which control exceptions should be communicated to the individual responsible for the function and which exceptions should be escalated. Inform affected process owners and stakeholders.

    5. Follow up on all exceptions to ensure that agreed-on actions have been addressed.

    6. Identify, initiate, track, and implement remedial actions arising from control assessments and reporting.

Ensure that Assurance Providers are Independent and Qualified

    1. Establish adherence to applicable codes of ethics and standards (e.g., Code of Professional Ethics of ISACA) and (industry- and geography-specific) assurance standards, e.g., IT Audit and Assurance Standards of ISACA and the International Auditing and Assurance Standards Board’s (IAASB’s) International Framework for Assurance Engagements (IAASB Assurance Framework).

    2. Establish the independence of assurance providers.

    3. Establish competency and qualification of assurance providers.

Plan Assurance Initiatives

    1. Determine the intended users of the assurance initiative output and the object of the review.

    2. Perform a high-level risk assessment and/or assessment of process capability to diagnose risk and identify critical IT processes.

    3. Select, customize, and reach agreement on the control objectives for critical processes that will be the basis for the controlled assessment.

Scope Assurance Initiatives

    1. Define the actual scope by identifying the enterprise and IT goals for the environment under review, the set of IT processes and resources, and all the relevant auditable entities within the enterprise and external to the enterprise (e.g., service providers), if applicable.

    2. Define the engagement plan and resource requirements.

    3. Define practices for gathering and evaluating information from the process(es) under review to identify controls to be validated, and current findings (both positive assurance and any deficiencies) for risk evaluation.

    4. Define practices to validate control design and outcomes and determine whether the level of effectiveness supports acceptable risk (required by organizational or process risk assessment).

    5. Where control effectiveness is not acceptable, define practices to identify residual risk (in preparation for reporting).

Execute Assurance Initiatives

    1. Refine the understanding of the IT assurance subject.

    2. Refine the scope of key control objectives for the IT assurance subject.

    3. Test the effectiveness of the control design of the key control objectives.

    4. Alternatively/additionally test the outcome of the key control objectives.

    5. Document the impact of control weaknesses.

    6. Communicate with management during the execution of the initiative so that there is a clear understanding of the work performed and agreement on and acceptance of the preliminary findings and recommendations.

    7. Supervise the assurance activities and make sure the work done is complete, meets objectives, and is of acceptable quality.

    8. Provide management with a report (aligned with the terms of reference, scope, and agreed-on reporting standards) that supports the results of the initiative and enables a clear focus on key issues and important actions