The document outlines Deloitte's internal audit approach, categorizing audits into three levels: core, advanced, and emerging, each with varying focus on compliance and technology risks. It emphasizes the need for a shift from traditional compliance-focused audits to more strategic audits that leverage new technologies and identify significant value opportunities. The publication also serves as a disclaimer regarding the nature of the information and recommends consulting professional advisors for business decisions.

1. Copyright © 2014 Deloitte Development LLC. All rights reserved.
IT Internal Audit
Auditing What Matters

2. Copyright © 2014 Deloitte Development LLC. All rights reserved.
IT Internal Audit Approach
Risk
Value
Level 1
Core
Level 2
Advanced
Level 3
Emerging
A
B
C
D
E
F
G
H
IJ
K
L
M
N O
P
Q
1

3. Copyright © 2014 Deloitte Development LLC. All rights reserved.
• Repetitive services
• Compliance focused
• Comprises most of
current audit universes
• Commoditized audits
IT Internal Audit Projects
Core
ITGCs
SOX Testing
DRP
Other Compliance
SoD
A
B
C
D
E
Level 1
2

4. Copyright © 2014 Deloitte Development LLC. All rights reserved.
• Repetitive services
• Compliance focused
• Comprises most of
current audit universes
• Commoditized audits
IT Internal Audit Projects
Core
ITGCs
SOX Testing
DRP
Other Compliance
SoD
A
B
C
D
E
• Maturing technologies
that haven’t been a
focus
• Some compliance
aspects
• Opportunities to add
value
Advanced
IT Governance
Attack and Pen
IAM
End User Computing
Software Asset Mgmt
GRC
F
G
H
I
J
Level 1 Level 2
K
3

5. Copyright © 2014 Deloitte Development LLC. All rights reserved.
• Repetitive services
• Compliance focused
• Comprises most of
current audit universes
• Commoditized audits
IT Internal Audit Projects
Core
ITGCs
SOX Testing
DRP
Other Compliance
SoD
A
B
C
D
E
• Maturing technologies
that haven’t been a
focus
• Some compliance
aspects
• Opportunities to add
value
Advanced
IT Governance
Attack and Pen
IAM
End User Computing
Software Asset Mgmt
GRC
F
G
H
I
J
• New technologies
• High visibility/risk
• Highly strategic
• Significant opportunities
to provide additional
value
Emerging
Mobile Endpoint
Cyber Terrorism
Privacy
IT Risk Mgmt
Enterprise Record
Mgmt
Social Media
Cloud Computing
L
M
N
O
P
Level 1 Level 2 Level 3
K
Q
4
R

6. Copyright © 2014 Deloitte Development LLC. All rights reserved.
Current State
Level 1
Level 2
Level 3
IT Internal Audit Universe Allocation
Future State
Level 1
Level 2
Level 3
5

7. Copyright © 2014 Deloitte Development LLC. All rights reserved.
Contacts
6
Michael Juergens
Managing Principal
Information Technology Internal Audit
Deloitte & Touche LLP
+1 213 688 5338
michaelj@deloitte.com
Twitter: @michaeljuergens
LinkedIn: www.linkedin.com/pub/michael-juergens/2/221/988/
Tune in to this brief audio/visual presentation at:
http://event.on24.com/clients/deloitte/portal/index.html?playlist=itia&event=700466

8. Copyright © 2014 Deloitte Development LLC. All rights reserved.
This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this
publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or
services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect
your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any
person who relies on this publication.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a
legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and
its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not
be available to attest clients under the rules and regulations of public accounting.