Upload
eugene-cook
View
219
Download
5
Embed Size (px)
Citation preview
1
Chapter ThreeChapter Three
IT Risks and ControlsIT Risks and Controls
2
Lecture OutlineLecture Outline
Identifying IT RisksIdentifying IT Risks Assessing IT RisksAssessing IT Risks Identifying IT ControlsIdentifying IT Controls Documenting IT ControlsDocumenting IT Controls Monitoring IT Risks and ControlsMonitoring IT Risks and Controls
3
Types of IT RisksTypes of IT Risks
What is risk?What is risk?– Chances of negative outcomesChances of negative outcomes
Business riskBusiness risk– Likelihood that an organization will not Likelihood that an organization will not
achieve its business goals and objectivesachieve its business goals and objectives– Internal & external riskInternal & external risk
4
Audit risk Audit risk – Likelihood that an organization’s external auditor Likelihood that an organization’s external auditor
makes a mistake when issuing an opinion makes a mistake when issuing an opinion attesting to the fairness of its financial statements attesting to the fairness of its financial statements oror
– an IT auditor fails to uncover a material error of an IT auditor fails to uncover a material error of fraud.fraud.
5
inherent riskinherent risk» Likelihood of material errors or fraud inherent in the Likelihood of material errors or fraud inherent in the
business environment.business environment.
control riskcontrol risk» Likelihood that the internal control system will not Likelihood that the internal control system will not
prevent or detect material errors or fraud on a timely prevent or detect material errors or fraud on a timely basis.basis.
detection riskdetection risk» Likelihood that audit procedures will not detect Likelihood that audit procedures will not detect
material errors or fraud on a timely basis.material errors or fraud on a timely basis.
6
Security riskSecurity risk– Risks associated with data access and integrity.Risks associated with data access and integrity.– Physical or logical unauthorized accessPhysical or logical unauthorized access– Negative outcomesNegative outcomes
Continuity riskContinuity risk– Risks associated with an information system’s Risks associated with an information system’s
availability and backup and recovery.availability and backup and recovery.
7
Assessing IT RiskAssessing IT Risk
Threats and vulnerabilitiesThreats and vulnerabilities– Identify threats or exposuresIdentify threats or exposures
– Access vulnerabilities to threats or exposuresAccess vulnerabilities to threats or exposures
– Determine acceptable risk levelDetermine acceptable risk level» The expected value of riskThe expected value of risk
Risk indicators and risk measurementRisk indicators and risk measurement– Identify IT processes and then develop a set of risk Identify IT processes and then develop a set of risk
indicatorsindicators
– Risk indicators would point to a need for controlRisk indicators would point to a need for control
8
Identifying IT ControlIdentifying IT Control
Once risks have been identified and Once risks have been identified and accessed, specific controls need to be accessed, specific controls need to be designed to control those risks.designed to control those risks.
Most widely used internal control modelMost widely used internal control model– COSO, COSO, – Cadbury and Cadbury and – CoCoCoCo
9
COSO (COSO (Committee of Sponsoring Committee of Sponsoring
Organizations of the Treadway CommissionOrganizations of the Treadway Commission) ) COSO framework COSO framework
– Consists of a definition of internal control and Consists of a definition of internal control and identification of 5 componentsidentification of 5 components
Internal control is broadly defined as a process, effected Internal control is broadly defined as a process, effected by an entity’s Board of Directors, management and other by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with reliability of financial reporting, and compliance with laws and regulations.laws and regulations.
Coso(Internal Control-Integrated Framework)Coso(Internal Control-Integrated Framework)
10
COSO cont..COSO cont..
5 components of Internal Control (IC)5 components of Internal Control (IC)– Control environmentControl environment
» Attitude of management toward internal controlAttitude of management toward internal control
– Risk assessmentRisk assessment» Enterprise risk framework: guidance in developing Enterprise risk framework: guidance in developing
plans to identify, measure, evaluate and respond to plans to identify, measure, evaluate and respond to risks.risks.
– Control activitiesControl activities» Internal control procedures and policiesInternal control procedures and policies» i.e., authorizations, approvals, passwords, and i.e., authorizations, approvals, passwords, and
segregation of dutiessegregation of duties
11
COSO cont..COSO cont..
– Information and communicationInformation and communication» Refer to the need for organizations to make sure they Refer to the need for organizations to make sure they
obtain and communicate the information needed to obtain and communicate the information needed to carry out management strategies and objectivescarry out management strategies and objectives
– MonitoringMonitoring» Continuous monitoring of internal control system by Continuous monitoring of internal control system by
regular audits and evaluationsregular audits and evaluations
12
International IC StandardsInternational IC Standards
CadburyCadbury– Stressed that internal control encompasses both Stressed that internal control encompasses both
financial and operational controls and the auditors financial and operational controls and the auditors should report both.should report both.
CoCo (CoCo (Canadian Criteria of Control CommitteeCanadian Criteria of Control Committee))– Similar to COSO and CadburySimilar to COSO and Cadbury– Group IC within 4 categoriesGroup IC within 4 categories
» Purpose criteria that relate to an organization’s Purpose criteria that relate to an organization’s missions and objectivesmissions and objectives
13
International IC Standards International IC Standards cont..cont..
» Commitment criteria relate to ethics, policies, and Commitment criteria relate to ethics, policies, and corporate identitycorporate identity
» Capability criteria that relate to the competence of Capability criteria that relate to the competence of an organizationan organization
» Monitoring and learning criteria that concern an Monitoring and learning criteria that concern an organization’s evolutionorganization’s evolution
Other country standardsOther country standards– South Africa’s King ReportSouth Africa’s King Report– France’s Vienot ReportFrance’s Vienot Report
14
Quality Control StandardsQuality Control Standards
In addition to IC, improve public conference In addition to IC, improve public conference in products and processes by adopting quality in products and processes by adopting quality control standardscontrol standards
ISO 9000 series – certifies that organizations ISO 9000 series – certifies that organizations comply with documented quality standardscomply with documented quality standards
Six Sigma – an approach to process and Six Sigma – an approach to process and quality improvementquality improvement
15
Statements on Statements on Auditing StandardsAuditing Standards
Issued by AICPA’s Accounting Standards Issued by AICPA’s Accounting Standards BoardBoard
SAS 78 SAS 78 Consideration of IC in a Financial Consideration of IC in a Financial Statement Audit: An Amendment to SAS Statement Audit: An Amendment to SAS No. 55No. 55
SAS 94 SAS 94 The Effect of IT on the Auditor’s The Effect of IT on the Auditor’s Consideration of IC in a Financial Consideration of IC in a Financial Staetment AuditStaetment Audit
New standards related to risk assessmentNew standards related to risk assessment
16
ISACA’s CobiTISACA’s CobiT
Integrates IC with information and ITIntegrates IC with information and IT Use by managers & business owners along Use by managers & business owners along
with auditors and information userswith auditors and information users Three dimensions: information criteria, IT Three dimensions: information criteria, IT
processes, and IT resourcesprocesses, and IT resources Organizations must ensure their information Organizations must ensure their information
assets satisfy the requirements of quality, assets satisfy the requirements of quality, fiduciary, and securityfiduciary, and security
17
ISACA’s CobiT ISACA’s CobiT cont…cont…
Domains: planning and organization, Domains: planning and organization, acquisition and implementation, delivery acquisition and implementation, delivery and support, and monitoringand support, and monitoring
Each domain consists of processesEach domain consists of processes CobiT identifies a control objectives for CobiT identifies a control objectives for
each processeseach processes New management guidelines (new addition)New management guidelines (new addition)
18
Systems Reliability AssuranceSystems Reliability Assurance
American Institute of Certified Public American Institute of Certified Public Accountants (AICPA) + Canadian Institute Accountants (AICPA) + Canadian Institute of Chartered Accountants of Chartered Accountants SysTrust SysTrust
SysTrustSysTrust– Increase management, customer, supplier, and Increase management, customer, supplier, and
business partner confidence in the ITbusiness partner confidence in the IT
19
Documenting It ControlsDocumenting It Controls
Internal control narrativesInternal control narratives– Text describing controls over a particular riskText describing controls over a particular risk
Flowcharts – internal control flowchartFlowcharts – internal control flowchart– Picture are easier to understand, follow and Picture are easier to understand, follow and
updateupdate IC questionnairesIC questionnaires
– Ask questions about IC over various applications, Ask questions about IC over various applications, processes, or risksprocesses, or risks
– Users or administrators would complete the Users or administrators would complete the questionnaires with yes or no answerquestionnaires with yes or no answer
20
Monitoring IT Risks Monitoring IT Risks and Controlsand Controls
CobiT identifies several control objectives CobiT identifies several control objectives associated with monitoringassociated with monitoring– Monitoring the processesMonitoring the processes– Accessing IC adequacyAccessing IC adequacy– Obtaining independent assuranceObtaining independent assurance– Providing independent auditProviding independent audit
Need for independent assurance and audit Need for independent assurance and audit of IT controlsof IT controls