💼 33 Internal audit - Assurance to the Board

• Contextual name: 💼 33 Internal audit - Assurance to the Board
• ID: /frameworks/apra-cpg-234/33
• Located in: 💼 APRA CPG 234

Description

Empty...

Similar

• Internal
  • ID: dec-b-30a0dcf0

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 83 Internal audit is an important vehicle by which the Board can gain assurance that information security is maintained. This assurance would typically be achieved through the inclusion of information security within the APRA-regulated entity’s internal audit plan. The Board could also choose to gain assurance through expert opinion or other means to complement the assurance provided by the internal audit function. This typically occurs where the required skills do not reside within the internal audit function or the area subject to audit pertains to third parties or related parties.
💼 84 Under CPS 234, an APRA-regulated entity’s internal audit function must review the design and operating effectiveness of information security controls. In APRA’s view, an approach which achieves comprehensive assurance would involve an audit program which assesses all aspects of the information security control environment over time. The frequency at which areas to be audited are assessed would take into account the impact of an information security compromise and the ability to place reliance on other control testing undertaken. Additional assurance work may be triggered by changes to vulnerabilities and threats or material changes to IT assets.
💼 85 Where internal audit relies on control testing performed by other areas, APRA would expect the internal audit function to assess the scope and quality of the testing conducted in order to determine how much reliance can be placed upon it.