GTAG 11 - Developing The IT Audit Plan PDF
GTAG 11 - Developing The IT Audit Plan PDF
GTAG 11 - Developing The IT Audit Plan PDF
Developing the
IT Audit Plan
Continuous Auditing:
Implications for Assurance,
Monitoring, and
Risk Assessment
Management of IT Auditing
Managing
and Auditing
Privacy Risks
)NFORMATION
4ECHNOLOGY
/UTSOURCING
Auditing
Application
Controls
Business Continuity
Management
For more information and resources regarding technology-related audit guidance, visit
www.theiia.org/technology.
Authors
Kirk Rehage, Chevron Corporation
Steve Hunt, Crowe Horwath LLP
Fernando Nikitin, Inter-American Development Bank
July 2008
Copyright 2008 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Fla.,
32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical,
photocopying, recording, or otherwise without prior written permission from the publisher.
The IIA publishes this document for informational and educational purposes. This document is intended
to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such
advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained.
GTAG T
able of Contents
Table of Contents
1.
Executive Summary............................................................................................................................................. 1
2. Introduction.......................................................................................................................................................... 2
2.1
IT Audit Plan Development Process..................................................................................................................... 3
3. Understanding the Business....................................................................................................................... 4
3.1
Organizational Uniqueness .................................................................................................................................. 4
3.2
Operating Environment......................................................................................................................................... 4
3.3
IT Environment Factors........................................................................................................................................ 4
4. Defining the IT Audit Universe.................................................................................................................. 9
4.1
Examining the Business Model.............................................................................................................................. 9
4.2
Role of Supporting Technologies.......................................................................................................................... 9
4.3
Annual Business Plans........................................................................................................................................... 9
4.4
Centralized and Decentralized IT Functions......................................................................................................... 9
4.5
IT Support Processes............................................................................................................................................ 10
4.6
Regulatory Compliance....................................................................................................................................... 10
4.7
Define Audit Subject Areas................................................................................................................................. 10
4.8
Business Applications.......................................................................................................................................... 11
4.9
Assessing Risk...................................................................................................................................................... 11
5.
8. Glossary of Terms.............................................................................................................................................. 27
9. Glossary of Acronyms.................................................................................................................................... 28
10.
GTAG I ntroduction
2. Introduction
4
IT Governance Institutes Control Objectives for Information
and Related Technology (COBIT), Third Edition, p. 5.
36%
3%
No audit plan
0%
More than every
two years
1%
Every two years
60%
Every year
GTAG Introduction
Results from several IIA external quality assessment reviews
(QARs) reveal that developing an appropriate IT audit plan
is one of the weakest links in internal audit activities. Many
times, instead of doing risk-based auditing, internal auditors
review what they know or outsource to other companies,
letting them decide what to audit.
This guide offers techniques in how to address this challenge how to determine what should be included in the
IT audit scope and how these audit areas could be organized
into manageable audit units to create an effective IT audit
plan for the organization.
Defining the annual audit plan should follow a systematic process to ensure all fundamental business aspects and
IT-service support activities are understood and considered.
Therefore, it is essential that the foundation for the plan be
rooted in the organizations objectives, strategies, and business model. Figure 2 depicts a logical work-flow progression
using a top-down approach to define the IT audit plan that
will be used in this guide.
The first step in defining the annual IT audit plan is to
understand the business. As part of this step, auditors need
to identify the strategies, company objectives, and business
models that will enable them to understand the organizations
unique business risks. The audit team also must understand
how existing business operations and IT service functions
support the organization.
Understand
the Business
Identify the
organizations strategies
& business objectives
Understand the
high risk profile for
the organization
Identify how the
organization structures
their business operations
Understand the IT
service support model
Define IT
Universe
Perform
Risk Assessment
Develop processes
to identify risks
Assess risk and rank
audit subjects using
IT risk factors
Assess risk and
rank subjects using
business risk factors
Formalize
Audit Plan
Select audit subjects
and bundle into distinct
audit engagements
Determine audit cycle
and frequency
Add appropriate
engagements based on
management requests
or opportunities
for consulting
Validate the plan with
business management
After becoming familiar with the organizations entitylevel strategic objectives, the next step is to identify the key
processes that are critical to the objectives success. When
doing so, auditors need to understand how each business
process differs within operating units, support functions, and
major organizationwide projects, as well as how the process
relates and links to entity objectives.
Project processes are unique, but equally important, in
ensuring initiatives that add value to the organization are
managed and commercialized appropriately. A process is
considered key if its failure prevents the organization from
fully achieving the strategic objective to which it is tied.
Operating units include core processes through which the
organization achieves primary objectives, such as manufacturing, sales, and distribution activities. Support functions
include management processes that oversee and support core
operational functions, such as governance and compliance
activities, finance, human resources, treasury, cash management, and procurement activities.
Once processes are identified, auditors need to outline
the significant applications and critical IT infrastructure
(e.g., databases, operating systems, networks, and physical
environments) supporting these applications. Underlying
these applications and IT infrastructure are supporting IT
processes, such as systems development life cycles, change
management, operations, and security activities. Auditors
should note that applications require periodic assessments
based on their significance to financial reporting activities,
regulatory compliance, or operational requirements.
Examining the operating environment this way (i.e.,
starting from the top of the organization) will help auditors understand and inventory each critical component. To
fully understand the operating environment and its risks
also requires a comprehensive understanding of different
technology factors that influence and help categorize organizational risks.
Different factors and analysis techniques should be considered to understand the operational environment and its
unique risks. This is because an organizations control environment complexity will have a direct effect on its overall
4
SUPPORT
PROJECTS
BUSINESS PROCESSES
OPERATING PROCESSES
Manufac
Sales
turing
SUPPORT PROCESSES
Distribu
Financial
IT
tion
Payroll
Reporting
PROJECTS PROCESSES
Cash
Mgmt
...
IT GENERAL
CONTROLS
Systems
Development
APPLICATION B
application
CONTROLS
APPLICATION C
Physical
controls
Service &
Support
Processes
Backup &
Restore
Authorization
Integrity
Change
Management
Logical Access
Economics
...
Applications
APPLICATION A
Design
Availability
IT INFRASTRUCTURE SERVICES
DATABASE
OPERATING SYSTEM
NETWORK/PHYSICAL
Security
Confidentiality
Segregation
of duties
GTAG U
nderstanding the Business
Finally, networks link computers and enable them to
communicate with each other. They consist of physical
components, such as switches, routers, firewalls, wiring,
and programs that control the routing of data packets.
Networks also can be deployed using radio frequency
technology, commonly called wireless networks.
All four layers of the stack are essential to enabling
automated business functionality and introduce availability, integrity, and confidentiality risks. The degree
of risk is based on the criticality of the business activity
the technology supports and enables, and on the technologys configuration and deployment. Therefore, the
more variety in each of these layers, the higher the
organizations risk profile. For instance, it is simpler for
IT departments to manage a homogeneous environment of Windows 2003 servers running a SQL Server
database for a single enterprise resource planning (ERP)
application than a variety of operating systems and database platforms underlying different applications. While
ideal, the first scenario might not be practical for a large
organization with diverse operations or a decentralized
business model. In creating the audit universe, critical IT
elements should be identified and assessed as part of the
top-down analysis techniques described in this guide.
GTAG U
nderstanding the Business
benefits of ITIL is that it establishes a common vocabulary of defined and widely used terms. Organizations that
implement ITIL concepts have claimed a higher degree
of reliability and lower delivery costs.
8. The level of reliance on technology. Some organizations are intensive technology users or use technology to
differentiate themselves from their peers and competitors.
While technology can improve overall internal controls
with the use of automated application controls, strong
governance and internal operational processes become
more important as reliance on IT increases. In addition,
as organizations depend more on the availability and
integrity of IT functionality to enable business operations and meet their objectives, the significance of IT
risks in the organizations overall risk profile increases.
Hence, the nature and extent to which the organization
relies on technology should be evident in the risk assessment used to develop the IT audit plan.
These eight IT environment factors, along with the
top-down approach used to understand the organizations
operations and IT infrastructure, provide auditors with the
information needed to move to the next step of the audit
planning process defining the IT audit universe and
performing a risk assessment.
GTAG D
efining the IT Audit Universe
There are several benefits to identifying centralized audit
subjects. The main benefit is the effective use of limited IT
audit resources, which can enable the audit team to focus on
one area, use sampling techniques, and gain a large amount of
coverage in a single audit. Another benefit is the transfer of
internal audit efficiencies to other audits because centralized
areas have already been covered and may be excluded from
the scope of other audits. The benefit of referencing centralized audit coverage is particularly applicable to application
auditing. For example, there could be hundreds of applications residing within a Windows server administration group
environment. Since the general controls for the infrastructure
are reviewed in a more centralized audit, the IT audit should
be limited to application-specific technical areas rather than
the entire infrastructure platform hosting the application.
The organization also benefits as it is audited thoroughly only
once and is not impacted when applications are reviewed
individually during each business process audit.
Furthermore, organizations may centralize their IT functions differently. A common practice of many organizations
is to create a single network support function that manages
its network design and security administration. This network
support function could be divided into firewall, router,
and switch configuration activities, as well as Internet
connectivity, wireless, digital voice, and external network
connection management. As a result, each of these areas
may be an independent audit subject in the IT universe.
Furthermore, because centralized IT functions can change
over time, they should be reviewed and refreshed in the audit
universe at least annually.
A similar approach can be taken for decentralized IT
functions, where each physical location might represent
a separate audit subject. Depending on the locations size,
the sites audit may review general and technical controls
for each infrastructure stack layer. The review should only
include the IT controls for which the local site is responsible,
while controls handled by centralized IT functions should
be excluded. If the site is large and supports a wide number
of technologies, auditors might need to perform multiple
reviews for that location as part of the IT audit universe.
10
CAEs need to determine which audit group will be responsible for the planning and oversight of business application
audits. Depending on how the audit function operates, business applications can be included as part of the IT audit
universe, business audit universe, or both. There is a growing
consensus among internal audit functions that business
applications should be audited with the business processes
they support. This provides assurance over the entire suite
of controls automated and manual for the processes
under review, helps to minimize gaps and overlaps of audit
efforts, and minimizes confusion over what was included in
the scope of the engagement.
Because of their expertise, the business audit function is
probably best suited to determine when applications should
be reviewed. If business applications are maintained as part
of the IT audit universe, the business audit universe should
be linked to the IT audit universe to work together during
the audit. Even if business applications are maintained separately from the IT audit universe, individual audit subjects
can be created within the IT audit universe for large-scale
applications that are used by multiple functions for multiple
processes, such as ERP systems. This is because it might make
sense to review the applications general controls in a standalone audit rather than arbitrarily including this area in one
of the many business audits.
GTAG P
erforming a Risk Assessment
5. Performing a Risk Assessment
The IIA defines risk as the possibility that an event will occur
that could affect the achievement of objectives, which is
measured in terms of impact and likelihood.9 Therefore, it is
vitally important for organizations to determine the contents
of their risk portfolio periodically and perform activities to
manage risks to an acceptable level. As discussed earlier, the
risk assessment process should not be conducted until the
CAE and internal audit team understand the contents of the
IT universe and how they link back to or support the organization. It is paramount no matter the risk assessment model
or approach used for the risk assessment to determine IT
environment areas that can significantly hinder the organizations achievement of objectives. In other words, the risk
assessment needs to examine the infrastructure, applications,
and computer operations or components that pose the greatest
threat to the organizations ability to ensure system and data
availability, reliability, integrity, and confidentiality.
In addition, auditors need to identify the effectiveness and
usefulness of risk assessment results, which should be directly
predicated on the methodology employed and its proper
execution. That is, if the risk assessments methodology
input (i.e., the IT universe and its link to the business audit
universe) is deficient or is applied incorrectly, it is likely that
the output (i.e., risk assessment results) will be incomplete
in some capacity.
After the CAE and internal audit team understand the organization and its use of technology, they can conduct the risk
assessment. Performing this task correctly is paramount to
ensuring relevant IT risks (i.e., those with the greatest likelihood of occurrence and impact to the organization) are
identified and evaluated effectively and adequate mitigation
measures take place. The culmination of the risk assessment
process is then used by the CAE and audit team to develop
the IT audit plan.
5.1.3 IT Universe
12
Likelihood Scale
H
1. Direct probability estimates and expected loss functions or the application of probabilities to asset values
to determine exposure for loss. This process is the oldest
and not considered a best practice. The insurance industry
still uses this method, but internal auditing does not.
10
13
GTAG P
erforming a Risk Assessment
5.3 Leading IT Governance Frameworks
Level
Composite Risk
Score Range
Recommended
Annual Cycle
3554
Every 1 to 2 years
2034
Every 2 to 3 years
619
Every 3 to 5 years
11
12
COBIT 4.1, p. 8.
IT Risks
Financial
Impact
Area
Quality of
Internal
Controls
Changes in
Audit Unit
Availability
Integrity
Confidentiality
Score
and
Level
42
41
HR/Payroll Application
40
40
IT Infrastructure
38
15
27
24
34
26
24
19
17
21
IT Governance Practices
12
Remote Connectivity
12
16
54
Mid point
30
L = Likelihood
I = Impact
GTAG F
ormalizing the IT Audit Plan
6. Formalizing the IT Audit Plan
Defining the IT audit universe and performing a risk assessment are precursor steps to selecting what to include in the
IT audit plan. While everything in the IT audit universe
could be reviewed on a recurring basis if the availability of
resources is unlimited, this is not the reality for most internal
audit functions. Consequently, CAEs must create an IT audit
plan within the constraints of the audit functions operating
budget and available resources.
Allocate Resources
Risk Assessment
Audit Plan
Driver = Risks
Driver = Resources
Influencer = Resources
Influencer = Risks
Key Activities
Key Activities
Figure 4. Objectives for risk assessment and audit plan (Source: Ernst & Young 2007)
16
Resource
Allocation
Priority
Frequency
Immediate
action,
usually within
the first year
Annual reviews or
multiple actions
within the cycle
High
allocation
Mid-term
action within
the audit
cycle
One or several
audit engagements
within the cycle;
could be postponed
Base
allocation
At most one
audit engagement
planned within the
cycle
Limited
allocation
13
17
GTAG F
ormalizing the IT Audit Plan
well as estimated efforts in terms of their timeframe for
completion and resources.
4. The plan should be prioritized based on:
a. Dates and results of the last audit engagement.
b. Updated assessments of risks and effectiveness of risk
management and control processes.
c. Requests by the board and senior management.
d. Current issues relating to organizational governance.
e. Major changes in the business, operations, programs,
systems, and controls.
f. Opportunities to achieve operating benefits.
g. Changes to and capabilities of the audit staff. (Work
schedules should be sufficiently flexible to cover unanticipated demands on the internal audit activity.)
In addition to frequency, other factors should be considered when defining the audit plan:
Internal audit sourcing strategies. Different
sourcing or staff augmentation strategies are common
practices in the industry, including hiring internal
staff, outsourcing, and co-sourcing, which should be
considered during the annual planning process.
Estimated available IT audit resources. This consists
of a technical skills inventory of current staff that is
mapped to IT audit plan needs. The availability of
resources usually is established on an annual basis
and is based on the number of full-time equivalent
auditors and skills required. Available audit days are
the net of possible audit days minus nonaudit activities and exception time, such as training, vacation,
and holidays.
Board and management requests included in the
plan and related to control assurance or consulting
services.
The organizations regulatory and compliance
requirements. These should be included in the audit
universe and risk assessment.
External audits that should be synchronized with
the audit plan. The IIA Performance Standard 2050
establishes that the CAE should share information and coordinate activities with other internal
and external providers of relevant assurance and
consulting services to ensure proper coverage and
minimize duplication of efforts.
Internal initiatives and efforts to improve the audit
function. Any effort beyond audit engagements that
represents an investment of effort should be planned,
budgeted, and reflected in the audit plan. Examples
include quality assurance reviews, integrated risk
assessments, audit committee reporting tasks, and
audit recommendation follow-ups.
A contingency IT audit budget and plan for reasonable coverage of unplanned situations.
The content of the IT audit plan should be a direct reflection of the risk assessment described in previous sections.
The plan also should have different types of IT audits, for
example:
Integrated business process audits.
Audits of IT processes (e.g., IT governance and
strategy audits, as well as audits of the organizations
project management efforts, software development
activities, policies and procedures, COBIT/ISO/ITIL
processes, and information security, incident management, change management, patch management, and
help desk activities).
Business projects and IT initiative audits, including
software development life cycle (SDLC) reviews.
Application control reviews.
Technical infrastructure audits (e.g., demand
management reviews, performance reviews, database
assessments, operating systems audits, and operation
analyses).
Network reviews (e.g., network architecture reviews,
penetration testing, vulnerabilities assessments, and
performance reviews).
To verify each audit provides appropriate coverage, auditors can incorporate the following elements as part of the
audit:
IT general controls, application controls, and infrastructure controls.
Contributions to operational reviews, financial
reviews, and compliance reviews.
Main control objectives (i.e., segregation of duties,
concentration of duties, and security, among
others).
New IT trends and their threats, innovations, and
impact.
All IT layers of the stack.
Audit Universe
Low-integrated
Audit Plan
Partially Integrated
Audit Plan
Highly Integrated
Audit Plan
Business Processes
Operational
Financial
Compliance
Non-IT audit
Non-IT audit
Integrated approach
Applications Systems
Application controls
IT general controls
IT audit
Integrated approach
Integrated approach
IT Infrastructure Controls
Databases
Operating systems
Network
IT audit
IT audit
Integrated approach
Targeted Result
Mandated
Risk Assessed
Audit Resources
Risk Impact
High
Total
Audit
Universe
Consider alternative
audit approach
Low
L
Likelihood
21
GTAG A
ppendix: Hypothetical Company Example
7. Appendix: Hypothetical
Company Example
Manufacturing Systems:
oo Responsible for systems operating at manufacturing facilities.
oo Local applications include payroll for non-U.S.
sites, research and quality control databases, environmental reporting, and manufacturing process
control systems.
oo Financial analysis and controls.
The manufacturing facilities are the organizations lifeblood. Because they are located throughout the world and
have different capacity sizes, they introduce risks that may
impact business fundamentals and financials. Furthermore,
although the manufacturing facilities create a somewhat
decentralized business model, the organizations centralized
corporate and service elements offer the opportunity for
process-based audits that cross business functions.
In the area of compliance, the organization is subject to U.S.
and European requirements, including Sarbanes-Oxley, the
European Unions Directive on Data Protection (Privacy),
the U.S. Foreign Corrupt Practices Act, and other similar
regulations in the locations in which it operates. According
to the annual business plan, several major capital investment
projects are under way that will have a great impact on the
organizations future competitiveness.
Finally, the companys IT function aligns closely with its
business model. The company uses a fairly homogeneous
group of applications, including a standard ERP application,
a global network and server infrastructure, and standard
support processes for IT service delivery functions, governance, and security.
Enterprise applications:
oo One major ERP application used throughout the
company for supply chain management, financial accounting, human resources (based in the
United States), sales, and distribution.
oo Also supplies SAP technical support and Advanced
Business Application Programming (ABAP).
22
Audit Subject
Corporate
Corporate
Remote connectivity
Corporate
Corporate
Corporate
Corporate
Corporate
Corporate
Corporate
IT governance practices
Corporate
Level
Composite Risk
Score Range
Recommended
Annual Cycle
3554
Every 1 to 2 years
Corporate
2034
Every 2 to 3 years
Business
Segment 13
619
Every 3 to 5 years
Facility 130
IT infrastructure
Facility 130
Facility 130
23
GTAG A
ppendix: Hypothetical Company Example
Area
Financial
Impact
IT Risks
Quality of
Internal
Controls
Changes in
Audit Unit
Availability
Integrity
Confidentiality
Score and
Level
42
41
40
40
Facility 3 IT Infrastructure
38
39
35
M/H
34
M/H
27
26
Facility 1 IT Infrastructure
23
27
24
Facility 2 IT Infrastructure
23
25
23
22
22
19
M/L
19
M/L
19
M/L
17
17
Facility 30 IT Infrastructure
12
15
IT Governance Practices
12
Remote Connectivity
12
L = Likelihood
I = Impact
24
Engagement
Risk Level
Cycle
40
20
100
30
100
Facility 3: IT Infrastructure
90
M/H
90
M/H
40
90
Facility 1: IT Infrastructure
90
90
30
30
Sarbanes-Oxley Sustainability
M/*
120
L/*
40
Total
1000
* Management Request
Table 11. The audit plan
25
GTAG A
ppendix: Hypothetical Company Example
The audit plan in table 11 represents the ideal audit plan
based on the companys internal audit department and its
understanding of the companys strategies and objectives,
historical knowledge of the control environment, and anticipated changes in operations during the next audit period.
The plan should be reviewed with senior and operations
management as a follow-up discussion to the risk assessment
and audit planning phases. Doing so will validate management input was considered accurately in the process and give
managers a preview of the upcoming years IT audit plan.
The review also is an appropriate time to discuss potential
audit engagement dates as the company might experience
blackout periods due to the audits possible disruption of
company operations. For example, planned dates for application or infrastructure upgrades should be discussed, as well
as schedules of significant operational activities, such as
plant shutdowns and turnarounds, that could affect the audit
process.
Following the plans completion is the scheduling of audits
and audit resources. In general, audits have to be staffed with
appropriately skilled auditors to ensure the engagements
success. However, the audit schedule is also a good opportunity to address staff development needs through the exposure
of audits that will expand and develop specific skill areas.
Finally, there will be changes that might impact the audit
plan and schedule due to the organizations dynamic nature.
As a result, it is important to have an effective plan in place,
manage the plan throughout its life cycle, and be flexible to
company changes so that resources stay focused on evolving
risk areas and the organizations concerns.
26
Policy: A written statement that communicates managements intent, objectives, requirements, and responsibilities.
Risk assessment: A methodology for determining the likelihood of an event that could hinder the organization from
attaining its business goals and objectives in an effective,
efficient, and controlled manner.
Framework: Guiding principles that form a template organizations can use to evaluate business practices.
27
GTAG G
lossary of Acronyms
9. Glossary of Acronyms
CAE: Chief audit executive
CBOK: The IIA Research Foundations Common Body of
Knowledge
COBIT: Control Objectives for Information and Related
Technology
COSO: The Committee of Sponsoring Organizations of the
Treadway Commission
EFT: Electronic funds transfer
ERM: Enterprise risk management
ERP: Enterprise resource planning
EU: European Union
GLBA: U.S. Gramm-Leach Bliley Act
GTAG: Global Technology Audit Guide
HIPAA: U.S. Health Insurance Portability and
Accountability Act
IIA: The Institute of Internal Auditors
ISO: International Organization for Standardization
IT: Information technology
ITGI: IT Governance Institute
ITIL: The UK Office of Government Commerces IT
Infrastructure Library
PCAOB: U.S. Public Company Accounting Oversight
Board
PCI DSS: Payment Card Industry Data Security Standard
QAR: The IIAs external quality assurance review
SDLC: System development life cycle
SOX: U.S. Sarbanes-Oxley Act of 2002
28
Kirk Rehage
Kirk Rehage is the group manager of
IT auditing for Chevron Corp., a member
of The IIAs Advanced Technology
Committee and ISACA, and term
governor for the North California East
Bay IIA Chapter. As IT audit group
manager, Rehage is responsible for the
Internal Audit Departments IT assurance and controls consulting activities in more than 180
countries.
Rehage has more than 30 years of energy industry experience and has held a variety of roles delivering IT services,
such as building computing infrastructure and network environments, managing application delivery organizations, and
technical programming of engineering and earth science
analytical software and database solutions.
Reviewers
The IIA thanks the following individuals and organizations
that provided valuable comments and added great value to
this guide:
Professional Practices Committee:
oo Advanced Technology Committee
oo Board of Regents
oo Committee on Quality
oo Internal Auditing Standards Board
oo Professional Issues Committee
oo Ethics Committee
Urton Anderson, McCombs School of Business,
The University of Texas at Austin, USA
Lily Bi, The IIA, USA
Larry Brown, The Options Clearing Corp., USA
Faisal R. Danka, London, UK
Christopher Fox, ASA, eDelta, New York, USA
Nelson Gibbs, Deloitte & Touche LLP, USA
Frank Hallinan, Chevron Phillips Chemical Co. LP,
USA
Greg Kent, SecureIT, USA
Lemuel Longwe, Ernst & Young Chartered
Accountants, Zimbabwe
Steve Mar, Resources Global, USA
Tom Margosian, Ford Motor Company, USA
James Reinhard, Simon Property Group Inc., USA
Crowe is a top 10 public accounting and consulting firm. We provide innovative solutions in the areas of
assurance, financial advisory, performance, risk consulting, and tax. Differentiating ourself from many others,
Crowe has a specific focus on serving a broad array of organizations risk consulting needs. Service areas include:
O Governance, risk, and compliance;
O Regulatory consulting;
O Application integrity;
O IT audit cosourcing;
O SAS 70 audits;
Crowe Chizek and Company LLC is a member of Horwath International Association, a Swiss association (Horwath). Each member firm of Horwath is a separate and independent legal
entity. Accountancy services in the state of California are rendered by Crowe Chizek and Company LLP, which is not a member of Horwath. 2008 Crowe Chizek and Company LLC
RISK8068
RISK8068
978-0-89413-624-5
www.theiia.org