Meet eSAC, IIA's New Model for Technology Audits

At Fidelity Investments, the internal auditors use a heat map to discuss concerns and issues related to information technology (IT). The heat map communicates priorities and potential consequences though a range of colors from gray or white (cool) through blue and green to yellow (caution)and orange or red (hot). This innovative presentation is based on the eSAC Model recently developed by the Research Foundation of the Institute of Internal Auditors (IIA).

The Foundation named its model eSAC to reflect the nature of today’s e-business models and the accompanying need for Electronic Systems Assurance and Control. A key purpose of the model is to provide management and auditors with a practical framework for relating basic assurance objectives to the dynamic environments in which companies operate today.

The basic assurance objectives included in the eSAC Model are:

  • Availability: The system is able to receive, accept, process, and support transactions at all times, as required, (e.g., 7 days a week, 24 hours a day, 365 days a year).
  • Capability: The system allows for end-to-end reliable, timely completion and fulfillment of all transactions.
  • Functionality: The system provides necessary facilities, responsiveness, and ease-of-use to meet user needs and expectations.
  • Protectability: The system includes logical and physical security controls ensure authorized access and deny unauthorized access to servers, applications, and information assets.
  • Accountability: The transaction processing is accurate, complete, and non-refutable.

The model also incorporates the building blocks that make assurances possible, (i.e., people, technology, processes, investment, and communication), the external forces that impact assurances, (e.g., ever-increasing interaction, interconnectivity, and system sharing with customers, competition, regulators, community, and owners), and difficult-to-monitor intangibles, such as the speed of change and external interdependencies (e.g., providers, alliances, and agents).

Learn more about eSAC.

-Rosemary Schlank

You may like these other stories...

The Public Company Accounting Oversight Board (PCAOB) on Tuesday adopted a new auditing standard and amendments in three areas of the audit that could pose an increased risk of material misstatement in company financial...
Read more from Larry Perry here and in the Today’s World of Audits archive.In my last article, I presented an overview of one of the first steps in the preplanning phase of an audit engagement: reviewing prior year...
Read more from Larry Perry here and in the Today’s World of Audits archive.AU-C Section 800, Special Considerations—Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks (SPFs),...

Already a member? log in here.

Upcoming CPE Webinars

Aug 21
Meet budgets and client expectations using project management skills geared toward the unique challenges faced by CPAs. Kristen Rampe will share how knowing the keys to structuring and executing a successful project can make the difference between success and repeated failures.
Aug 26
This webcast will include discussions of recently issued, commonly-applicable Accounting Standards Updates for non-public, non-governmental entities.
Aug 28
Excel spreadsheets are often akin to the American Wild West, where users can input anything they want into any worksheet cell. Excel's Data Validation feature allows you to restrict user inputs to selected choices, but there are many nuances to the feature that often trip users up.
Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.