Given the greater potential for an IT software related irregular or illegal act, an IT auditor should pursue understanding the backdoors and trapdoors in the entity’s computer processing environment and evaluate whether adequate preventive and detective controls are deployed. Furthermore, when performing irregular or illegal act agreed-upon procedures assessments, an IT auditor should determine if management designed adequate encryption requirements for sensitive data.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Protective measures should also be deployed to ensure information assets are maintained in a properly controlled and secured environment. Specifically, a physically and logically secure environment should exist at the GCC level. Regarding irregular and illegal acts, adequate IT personnel and inventory identification as well as access restrictions should be considered crucial controls. Pervasively, employing a competent information security manager can ensure continuous monitoring of general as well as application access.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

SOF and SOD are considered organizational controls that may prevent, deter, and/or detect irregular and illegal acts. An entity’s IT management is responsible for sustaining an adequate Internal Control Structure (ICS) to safeguard information system assets. One of the factors an ICS relies on is maintaining adequate SOF between the various IT department units as well as other non-IT groups.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Through key operations GCC; Segregation-of-Functions (SOF) and Segregation-of-Duties (SOD) supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Assessing control existence and adequacy for an audit area are primary IT auditor responsibilities. Therefore, an IT auditor should study and evaluate policies, procedures, directives, SOF, and SOD controls as well as protection-of-information-assets to demonstrate due diligence regarding irregular and illegal act risks.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Management is responsible for implementing and maintaining an adequate internal controls system. Whereby; policies, procedures and directives are the primary means to document management’s intentions regarding an organization. In this context, published policies, procedures, and directives reflect managements’ criteria for executing specific tasks.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Whether target data are in transit or at rest, it is critical that measures be in place to prevent the sought information from being destroyed, corrupted or becoming unavailable for forensic investigation. When evidence is at rest, adequate procedures should be followed to ensure evidential nonrepudiation. Volatile data capture assists investigators in determining the system state during the incident or event. Consequently, the utilization of functionally sound imaging software and practices is essential to maintaining evidential continuity.

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

“View Part I of the Irregularities and Illegal Acts Agreed-Upon Procedures Assessments series here“

Irregularities and/or illegal acts agreed-upon procedures maybe included in the “terms of reference” of a standard IT assurance engagement. Alternatively, agreed-upon procedures can be documented within a separate engagement letter. IT financial statement fraud and computer forensics are examples of potential agreed-upon procedures that may be undertaken as separate engagements. Nonetheless, if agreed procedures are a separate engagement, the IT auditor should not express any assurance concerning the subject matter examined during the course of performing assignment procedures.

Post Note: Irregularities and Illegal Acts Agreed-Upon Procedures Assessments contains redacted excerpts from Assuring IT Legal Compliance (Assurance Services)

“View Part I of the Auditing IT Governance series here“

Moreover, critical for a viable IT governance audit plan is the IT audit function’s organizational status. Specifically, internal IT audit organizational status may become a factor in determining whether to proceed with an IT governance audit. For instance, management may consider it inappropriate to grant internal IT auditors access to high-level business documents. Accordingly, organizational status may require hiring an independent third party to manage and perform the IT governance audit.

“View Part I of the Auditing IT Governance series here“