The security aspects of a business are critical and an important part of internal auditing.
Security audits primarily focus on governance, risks, and controls related to:

Financial reporting objectives should form the basis for the majority of internal controls. Internal controls set reliable financial reporting as a key objective because of the importance of these reports to lenders (primarily bankers) and investors and because of their role in satisfying legal and regulatory requirements and in ensuring efficiency and stewardship over the organization’s resources.

Assurance audits of managerial accounting and reporting systems feature similar objectives as those stated above for audits of ICFR, but they are intended to be shared with management to enable effective decision making within the organization.

Compliance is “the conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.” Compliance audits evaluate the adequacy and effectiveness of controls that keep the organization in compliance with applicable laws and regulations, contracts, and the organization’s own policies.

The objectives of an effective compliance program are to:

• Identify and discourage intentional and unintentional violations.
• Detect illegal activities.
• Ensure that adequate organization-wide compliance training programs are in place.
• Assist in proving insurance claims.
• Encourage proper behavior by providing incentives.
• Enhance and create corporate identity.

The organization should establish compliance standards and procedures that are reasonably capable of reducing the prospect of criminal conduct by employees and other agents, and compliance audits should review and assess these standards/procedures.

Internal audit scope may include a review of the compliance programs to see if:

• Written materials are effective.
• Employees have received communications.
• Detected violations have been handled appropriately.
• Discipline has been even-handed.
• Whistleblowers have not suffered retaliation.
• The overall compliance function has fulfilled its responsibilities.

Systems development life cycle (SDLC) reviews may be either advisory or facilitative in nature, but they are most often conducted as advisory engagements.
The SDLC review should involve all stakeholders in the system—all those who have an organizational interest in the day-to-day operations of the system. The auditor has significant responsibilities during the SDLC review:

• Ensuring that stakeholder interests are at the forefront of the development objectives.
• Ensuring that the development project follows the organization’s standards for systems development.
• Ensuring that the IT activity adheres to a framework or methodology such as the SDLC
  Auditors could be involved in a design review at several places:
• During systems analysis as a project team member to define the goals or purposes of a procedure or business function and to identify ways to accomplish those goals most efficiently, to evaluate the feasibility of proposed systems (to determine if a project will add value and satisfy objectives at a reasonable cost), or to evaluate the feasibility assessment process itself
• During system design or system selection as a project team member to ensure that controls are designed in
• During conversion and implementation to ensure that the project meets objectives and acceptance criteria
• During feedback as part of a post-project design or acquisition review for continuous improvement of the system and/or the process in general

Systems analysis is a key phase of the SDLC, and this is often where internal auditors play a key role in a consulting engagement. Systems analysis may involve applying problem-solving methodologies and a system-wide perspective and/or deconstructing the parts and subparts of the system to gain an understanding of how the system or process works in detail.
Systems design is the process of defining the architecture, modules, interfaces, and data for a system to satisfy the organization’s requirements for the system. Internal auditors may be able to take their holistic view of organizational processes and the overall goals of the process identified in systems analysis to help ensure that systems design is comprehensive and that the overall architecture or framework is sound. Systems design can be seen as an extension of systems theory (understanding the system as a whole, the cyclic nature of many processes, and the role of its inputs and outputs) into the realm of product development.

Business process mapping is often used in consulting engagements as a method of understanding what is really needed to make a business process function versus what is being done but isn’t adding any value to the end customer. Business process mapping often begins with a process owner leading the internal auditor on a walkthrough. Then a flowcharting activity is conducted to map the process and identify where value is added and where business process improvements could be made. Additional details on process mapping, including performing walkthroughs and flowcharting, are covered elsewhere in this product.