Meet eSAC, IIA's New Model for Technology Audits

At Fidelity Investments, the internal auditors use a heat map to discuss concerns and issues related to information technology (IT). The heat map communicates priorities and potential consequences though a range of colors from gray or white (cool) through blue and green to yellow (caution)and orange or red (hot). This innovative presentation is based on the eSAC Model recently developed by the Research Foundation of the Institute of Internal Auditors (IIA).

The Foundation named its model eSAC to reflect the nature of today’s e-business models and the accompanying need for Electronic Systems Assurance and Control. A key purpose of the model is to provide management and auditors with a practical framework for relating basic assurance objectives to the dynamic environments in which companies operate today.

The basic assurance objectives included in the eSAC Model are:

  • Availability: The system is able to receive, accept, process, and support transactions at all times, as required, (e.g., 7 days a week, 24 hours a day, 365 days a year).
  • Capability: The system allows for end-to-end reliable, timely completion and fulfillment of all transactions.
  • Functionality: The system provides necessary facilities, responsiveness, and ease-of-use to meet user needs and expectations.
  • Protectability: The system includes logical and physical security controls ensure authorized access and deny unauthorized access to servers, applications, and information assets.
  • Accountability: The transaction processing is accurate, complete, and non-refutable.

The model also incorporates the building blocks that make assurances possible, (i.e., people, technology, processes, investment, and communication), the external forces that impact assurances, (e.g., ever-increasing interaction, interconnectivity, and system sharing with customers, competition, regulators, community, and owners), and difficult-to-monitor intangibles, such as the speed of change and external interdependencies (e.g., providers, alliances, and agents).

Learn more about eSAC.

-Rosemary Schlank


Already a member? log in here.

Editor's Choice