Organisational context
This page, which we have named ‘Organisational context’, provides an introduction to the general context and business environment in which the organisation operates. Organisational context forms part of the internal auditor’s body of knowledge, the core elements of which are covered in the Institute’s professional qualifications. Building upon these foundations, through CPD and research of technical resources, will enable the internal auditor to develop an awareness of current issues and risks so that internal audit plans focus on the things that matter to the organisation, thereby adding value.
The resources set out below begin our effort to create links to good sources of information. We will continue to add new information and links but you can assist us by emailing your suggestions to our Technical Manager, chris.baker@iia.org.uk
You may also wish to review the separate webpages we have set up on governance, risk management, and control before browsing this page.
Use the links below to navigate between sections of information on this page:
Information technology
Information technology (IT) is a broad term that is concerned with the complexity of managing and processing information. IT affects the organisation's strategy, its structure, marketing and operations . This includes some well used terms such as IT governance, data management, information security, system development and implementation, business continuity, networking and telecommunications. There is a wide array of internet resources that can help organisations develop, manage and secure IT, some of which is focused upon the identification and assessment of risk. The list below provides a start for research in this area.
The International Standards Organisation (ISO) offers a range of standards relating to IT governance and business continuity. Perhaps the most well known of these is the ISO27000 series that provides a process approach to establish a risk based information security management systems (ISMS). The Information Systems Audit and Control Association (ISACA) has designed an IT governance model known as Control Objectives for Information and related Technology (known as CoBiT). The ISACA website also offers a range of information and computer assisted audit techniques (CAATs), some of which can be downloaded for free.
The UK Information Commissioner’s website explains what the Data Protection Act and the Freedom of Information Acts mean to individuals and organisations. The site also contains guidance on how to protect personal information and how to access official records. The equivalent in Ireland is The Office of the Data Protection Commissioner.
Business Link provides information, advice and support to help people start, maintain and grow a business. It includes information on IT and e-commerce. Go to the home page and select the section on IT and e-commerce. The UK Department for Business Innovation and Skills (BIS - formerly BERR) focus on policy to embed good security practice within the UK business community. They have created dedicated information security business advice pages which provide easy to understand, jargon-free information about a variety of information security issues.
For people looking to develop their expertise in IT the Institute has created an IT Auditing Certificate aimed at qualified internal auditors. You can find out more within Qualifications and CPD.
There is also a range of information within the Resource Library. This includes all four of the IT Briefing Note series that were published between 2001 and 2003: Internet security, IT Disaster recovery, Computer forensics, and Auditing in an e-business environment. Since 2005 the Global Technology Audit Guides (GTAGs) have helped to maintain the focus on IT and IT auditing. All of the GTAG series can be found in the Practice Guides section of our website.
Project management
Project management is related to change within organisations and is a complex subject so the material we provide under this heading should be regarded as a starting point for further research. Here are just a few website resources that provide useful information.
The resource section of The Association of Project Management UK (APM) provides a wide range of information on project management, including the 5th Edition of the APM Body of Knowledge. This website also provides details of the APM practitioner qualifications.
The Office of Government Commerce (OGC) has an extensive range of information regarding programme and project management. This includes the OGC Gateway Review Process that examines how key decisions are made in the project lifecyle. The OGC also offers a range of information on the application of the project management process known as Prince 2, which includes information on the Common causes of project failure. While the Portfolio, programme and project management maturity model can be found within the P3M3 section of OGC website.
The UK Department of Business Enterprise and Regulatory Reform (BERR) published Guidelines for Managing Projects in 2007. While the UK Department for Business Innovation and Skills provide a number of useful projects management templates, including business case, project brief and project initiation. The Project Management Institute UK and the Institute of Project Management Ireland provide a range of opportunities for professional development and a library of global standards and publications. While The British Standards Institute standard BS 6079-1:2010 Project Management provides principles and guidelines for the management of projects.
The Institute has published a short piece of guidance entitled An introduction to projects and project auditing for internal auditors who want to review this subject area. members may also be interested in GTAG 12 Auditing IT Projects
Sustainability, ethics and corporate and social responsibility
Modern organisations face demands from customers and investors to establish ethical and socially responsible policies and to periodically report their performance against policy. The Institute has published guidance to help members understand the complexity around this subject and the role that internal auditors can play. This includes PBN 15 Ethical and Social Responsibility and a PIB entitled Ethical and Social Audit Reporting. In addition there are a number of useful web based resources.
The Global Reporting Initiative (GRI) produced the first guidelines for sustainability reporting and is the most common framework used in the world for reporting.
The Corporate Register is the global independent corporate responsibility resources website. To access the content, you need to register and log in but it is free. It provides registered users access to corporate responsibility reports, news and events.
The AA1000 series is a product of AccountAbility, an international not-for-profit organisation dedicated to the promotion of social, ethical and organisational accountability. In late 2008, AccountAbility issued the latest version of two of the standards in the series and the Institute issued guidance entitled: Sustainability and the AA1000 series, summarising the main points of interest for internal auditors.
Finance
A recession often changes the nature of the financial risks facing the organisation and the focus of internal audit plans. At the moment credit management and the availability of cash are high on most organisations list of priorities. Help is available from Credit Management Matters an online portal designed to help organisations get paid. This includes a series of key guides to managing cash flow that have been sponsored by The UK Department for Business Innovation and Skills and Business link.
Fraud
It is management’s job to prevent, detect and investigate fraud but internal audit may be asked to support and advise upon the organisation’s efforts to combat this risk, particularly during a recession when the likelihood of fraud increases. The various roles that internal audit can play in relation to fraud are set out in the IIA UK and Ireland Fraud Position Statement published in 2003.
Resources on fraud can also be obtained from HM Treasury who publish guides for managers and statistical analysis on fraud in government and the Fraud Advisory Panel, a charity that works to raise the awareness of fraud, which has recently published its 12th annual review entitled Managing the Risk of Fraud. The National Audit Office has also issued 'A fresh approach to comating fraud in the public sector', in March 2010.
Further guidance, information and magazine articles on fraud are available in our Resource Library, including a practical guide sponsored by the Global Institute also entitled Managing the Business Risk of Fraud. To view a list of these documents go to the Resource Library page and type ‘fraud’ into the ‘free text’ search box.