Meet eSAC, IIA's New Model for Technology Audits

At Fidelity Investments, the internal auditors use a heat map to discuss concerns and issues related to information technology (IT). The heat map communicates priorities and potential consequences though a range of colors from gray or white (cool) through blue and green to yellow (caution)and orange or red (hot). This innovative presentation is based on the eSAC Model recently developed by the Research Foundation of the Institute of Internal Auditors (IIA).

The Foundation named its model eSAC to reflect the nature of today’s e-business models and the accompanying need for Electronic Systems Assurance and Control. A key purpose of the model is to provide management and auditors with a practical framework for relating basic assurance objectives to the dynamic environments in which companies operate today.

The basic assurance objectives included in the eSAC Model are:

  • Availability: The system is able to receive, accept, process, and support transactions at all times, as required, (e.g., 7 days a week, 24 hours a day, 365 days a year).
  • Capability: The system allows for end-to-end reliable, timely completion and fulfillment of all transactions.
  • Functionality: The system provides necessary facilities, responsiveness, and ease-of-use to meet user needs and expectations.
  • Protectability: The system includes logical and physical security controls ensure authorized access and deny unauthorized access to servers, applications, and information assets.
  • Accountability: The transaction processing is accurate, complete, and non-refutable.

The model also incorporates the building blocks that make assurances possible, (i.e., people, technology, processes, investment, and communication), the external forces that impact assurances, (e.g., ever-increasing interaction, interconnectivity, and system sharing with customers, competition, regulators, community, and owners), and difficult-to-monitor intangibles, such as the speed of change and external interdependencies (e.g., providers, alliances, and agents).

Learn more about eSAC.

-Rosemary Schlank

You may like these other stories...

Read more from Larry Perry here and in the Today’s World of Audits archive.In my last article, I presented an overview of one of the first steps in the preplanning phase of an audit engagement: reviewing prior year...
Read more from Larry Perry here and in the Today’s World of Audits archive.AU-C Section 800, Special Considerations—Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks (SPFs),...
Read more from Larry Perry here and in the Today’s World of Audits archive.AU-C Section 800, Special Considerations—Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks (SPFs),...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.