Continuously monitor and evaluate the control environment, including self-assessments and independent assurance reviews. Enable management to identify control deficiencies and inefficiencies and to initiate improvement actions. Plan, organize and maintain standards for internal control assessment and assurance activities.
Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.
Monitor Internal Controls
Perform internal control monitoring and evaluation activities based on organizational governance standards and industry-accepted frameworks and practices. Include monitoring and evaluation of the efficiency and effectiveness of managerial, supervisory reviews.
Consider independent evaluations of the internal control system (e.g., by internal audit or peers).
Identify the boundaries of the IT internal control system (e.g., consider how organizational IT internal controls take into account outsourced and/or offshore development or production activities).
Ensure that control activities are in place and exceptions are promptly reported, followed up and analyzed, and appropriate corrective actions are prioritized and implemented according to the risk management profile (e.g., classify certain exceptions as a key risk and others as a non-key risk).
Maintain the IT internal control system, considering ongoing changes in business and IT risk, the organizational control environment, relevant business and IT processes, and IT risk. If gaps exist, evaluate, and recommend changes.
Regularly evaluate the performance of the IT control framework, benchmarking against industry-accepted standards, and good practices. Consider the formal adoption of a continuous improvement approach to internal control monitoring.
Assess the status of external service providers’ internal controls and confirm that service providers comply with legal and regulatory requirements and contractual obligations.
Review Business Process Controls Effectiveness
Understand and prioritize risk to organizational objectives.
Identify key controls and develop a strategy suitable for validating controls.
Identify information that will persuasively indicate whether the internal control environment is operating effectively.
Develop and implement cost-effective procedures to determine that persuasive information is based on the information criteria.
Maintain evidence of control effectiveness.
Perform Control Self-Assessments
Maintain plans and scope and identify evaluation criteria for conducting self-assessments. Plan the communication of results of the self-assessment process to business, IT and general management and the board. Consider internal audit standards in the design of self-assessments.
Determine the frequency of periodic self-assessments, considering the overall effectiveness and efficiency of ongoing monitoring.
Assign responsibility for self-assessment to appropriate individuals to ensure objectivity and competence.
Provide for independent reviews to ensure the objectivity of the self-assessment and enable the sharing of internal control good practices from other enterprises.
Compare the results of the self-assessments against industry standards and good practices.
Summarise and report outcomes of self-assessments and benchmarking for remedial actions.
Define an agreed-on, consistent approach for performing control self-assessments and coordinating with internal and external auditors.
Identify and Report Control Deficiencies
Identify, report, and log control exceptions, and assign responsibility for resolving them and reporting on the status.
Consider related enterprise risk to establish thresholds for escalation of control exceptions and breakdowns.
Communicate procedures for escalation of control exceptions, root cause analysis, and reporting to process owners and IT stakeholders.
Decide which control exceptions should be communicated to the individual responsible for the function and which exceptions should be escalated. Inform affected process owners and stakeholders.
Follow up on all exceptions to ensure that agreed-on actions have been addressed.
Identify, initiate, track, and implement remedial actions arising from control assessments and reporting.
Ensure that Assurance Providers are Independent and Qualified
Establish adherence to applicable codes of ethics and standards (e.g., Code of Professional Ethics of ISACA) and (industry- and geography-specific) assurance standards, e.g., IT Audit and Assurance Standards of ISACA and the International Auditing and Assurance Standards Board’s (IAASB’s) International Framework for Assurance Engagements (IAASB Assurance Framework).
Establish the independence of assurance providers.
Establish competency and qualification of assurance providers.
Plan Assurance Initiatives
Determine the intended users of the assurance initiative output and the object of the review.
Perform a high-level risk assessment and/or assessment of process capability to diagnose risk and identify critical IT processes.
Select, customize, and reach agreement on the control objectives for critical processes that will be the basis for the controlled assessment.
Scope Assurance Initiatives
Define the actual scope by identifying the enterprise and IT goals for the environment under review, the set of IT processes and resources, and all the relevant auditable entities within the enterprise and external to the enterprise (e.g., service providers), if applicable.
Define the engagement plan and resource requirements.
Define practices for gathering and evaluating information from the process(es) under review to identify controls to be validated, and current findings (both positive assurance and any deficiencies) for risk evaluation.
Define practices to validate control design and outcomes and determine whether the level of effectiveness supports acceptable risk (required by organizational or process risk assessment).
Where control effectiveness is not acceptable, define practices to identify residual risk (in preparation for reporting).
Execute Assurance Initiatives
Refine the understanding of the IT assurance subject.
Refine the scope of key control objectives for the IT assurance subject.
Test the effectiveness of the control design of the key control objectives.
Alternatively/additionally test the outcome of the key control objectives.
Document the impact of control weaknesses.
Communicate with management during the execution of the initiative so that there is a clear understanding of the work performed and agreement on and acceptance of the preliminary findings and recommendations.
Supervise the assurance activities and make sure the work done is complete, meets objectives, and is of acceptable quality.
Provide management with a report (aligned with the terms of reference, scope, and agreed-on reporting standards) that supports the results of the initiative and enables a clear focus on key issues and important actions