20
1 Chapter Three Chapter Three IT Risks and IT Risks and Controls Controls

1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

Embed Size (px)

Citation preview

Page 1: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

1

Chapter ThreeChapter Three

IT Risks and ControlsIT Risks and Controls

Page 2: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

2

Lecture OutlineLecture Outline

Identifying IT RisksIdentifying IT Risks Assessing IT RisksAssessing IT Risks Identifying IT ControlsIdentifying IT Controls Documenting IT ControlsDocumenting IT Controls Monitoring IT Risks and ControlsMonitoring IT Risks and Controls

Page 3: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

3

Types of IT RisksTypes of IT Risks

What is risk?What is risk?– Chances of negative outcomesChances of negative outcomes

Business riskBusiness risk– Likelihood that an organization will not Likelihood that an organization will not

achieve its business goals and objectivesachieve its business goals and objectives– Internal & external riskInternal & external risk

Page 4: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

4

Audit risk Audit risk – Likelihood that an organization’s external auditor Likelihood that an organization’s external auditor

makes a mistake when issuing an opinion makes a mistake when issuing an opinion attesting to the fairness of its financial statements attesting to the fairness of its financial statements oror

– an IT auditor fails to uncover a material error of an IT auditor fails to uncover a material error of fraud.fraud.

Page 5: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

5

inherent riskinherent risk» Likelihood of material errors or fraud inherent in the Likelihood of material errors or fraud inherent in the

business environment.business environment.

control riskcontrol risk» Likelihood that the internal control system will not Likelihood that the internal control system will not

prevent or detect material errors or fraud on a timely prevent or detect material errors or fraud on a timely basis.basis.

detection riskdetection risk» Likelihood that audit procedures will not detect Likelihood that audit procedures will not detect

material errors or fraud on a timely basis.material errors or fraud on a timely basis.

Page 6: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

6

Security riskSecurity risk– Risks associated with data access and integrity.Risks associated with data access and integrity.– Physical or logical unauthorized accessPhysical or logical unauthorized access– Negative outcomesNegative outcomes

Continuity riskContinuity risk– Risks associated with an information system’s Risks associated with an information system’s

availability and backup and recovery.availability and backup and recovery.

Page 7: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

7

Assessing IT RiskAssessing IT Risk

Threats and vulnerabilitiesThreats and vulnerabilities– Identify threats or exposuresIdentify threats or exposures

– Access vulnerabilities to threats or exposuresAccess vulnerabilities to threats or exposures

– Determine acceptable risk levelDetermine acceptable risk level» The expected value of riskThe expected value of risk

Risk indicators and risk measurementRisk indicators and risk measurement– Identify IT processes and then develop a set of risk Identify IT processes and then develop a set of risk

indicatorsindicators

– Risk indicators would point to a need for controlRisk indicators would point to a need for control

Page 8: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

8

Identifying IT ControlIdentifying IT Control

Once risks have been identified and Once risks have been identified and accessed, specific controls need to be accessed, specific controls need to be designed to control those risks.designed to control those risks.

Most widely used internal control modelMost widely used internal control model– COSO, COSO, – Cadbury and Cadbury and – CoCoCoCo

Page 9: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

9

COSO (COSO (Committee of Sponsoring Committee of Sponsoring

Organizations of the Treadway CommissionOrganizations of the Treadway Commission) ) COSO framework COSO framework

– Consists of a definition of internal control and Consists of a definition of internal control and identification of 5 componentsidentification of 5 components

Internal control is broadly defined as a process, effected Internal control is broadly defined as a process, effected by an entity’s Board of Directors, management and other by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with reliability of financial reporting, and compliance with laws and regulations.laws and regulations.

Coso(Internal Control-Integrated Framework)Coso(Internal Control-Integrated Framework)

Page 10: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

10

COSO cont..COSO cont..

5 components of Internal Control (IC)5 components of Internal Control (IC)– Control environmentControl environment

» Attitude of management toward internal controlAttitude of management toward internal control

– Risk assessmentRisk assessment» Enterprise risk framework: guidance in developing Enterprise risk framework: guidance in developing

plans to identify, measure, evaluate and respond to plans to identify, measure, evaluate and respond to risks.risks.

– Control activitiesControl activities» Internal control procedures and policiesInternal control procedures and policies» i.e., authorizations, approvals, passwords, and i.e., authorizations, approvals, passwords, and

segregation of dutiessegregation of duties

Page 11: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

11

COSO cont..COSO cont..

– Information and communicationInformation and communication» Refer to the need for organizations to make sure they Refer to the need for organizations to make sure they

obtain and communicate the information needed to obtain and communicate the information needed to carry out management strategies and objectivescarry out management strategies and objectives

– MonitoringMonitoring» Continuous monitoring of internal control system by Continuous monitoring of internal control system by

regular audits and evaluationsregular audits and evaluations

Page 12: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

12

International IC StandardsInternational IC Standards

CadburyCadbury– Stressed that internal control encompasses both Stressed that internal control encompasses both

financial and operational controls and the auditors financial and operational controls and the auditors should report both.should report both.

CoCo (CoCo (Canadian Criteria of Control CommitteeCanadian Criteria of Control Committee))– Similar to COSO and CadburySimilar to COSO and Cadbury– Group IC within 4 categoriesGroup IC within 4 categories

» Purpose criteria that relate to an organization’s Purpose criteria that relate to an organization’s missions and objectivesmissions and objectives

Page 13: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

13

International IC Standards International IC Standards cont..cont..

» Commitment criteria relate to ethics, policies, and Commitment criteria relate to ethics, policies, and corporate identitycorporate identity

» Capability criteria that relate to the competence of Capability criteria that relate to the competence of an organizationan organization

» Monitoring and learning criteria that concern an Monitoring and learning criteria that concern an organization’s evolutionorganization’s evolution

Other country standardsOther country standards– South Africa’s King ReportSouth Africa’s King Report– France’s Vienot ReportFrance’s Vienot Report

Page 14: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

14

Quality Control StandardsQuality Control Standards

In addition to IC, improve public conference In addition to IC, improve public conference in products and processes by adopting quality in products and processes by adopting quality control standardscontrol standards

ISO 9000 series – certifies that organizations ISO 9000 series – certifies that organizations comply with documented quality standardscomply with documented quality standards

Six Sigma – an approach to process and Six Sigma – an approach to process and quality improvementquality improvement

Page 15: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

15

Statements on Statements on Auditing StandardsAuditing Standards

Issued by AICPA’s Accounting Standards Issued by AICPA’s Accounting Standards BoardBoard

SAS 78 SAS 78 Consideration of IC in a Financial Consideration of IC in a Financial Statement Audit: An Amendment to SAS Statement Audit: An Amendment to SAS No. 55No. 55

SAS 94 SAS 94 The Effect of IT on the Auditor’s The Effect of IT on the Auditor’s Consideration of IC in a Financial Consideration of IC in a Financial Staetment AuditStaetment Audit

New standards related to risk assessmentNew standards related to risk assessment

Page 16: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

16

ISACA’s CobiTISACA’s CobiT

Integrates IC with information and ITIntegrates IC with information and IT Use by managers & business owners along Use by managers & business owners along

with auditors and information userswith auditors and information users Three dimensions: information criteria, IT Three dimensions: information criteria, IT

processes, and IT resourcesprocesses, and IT resources Organizations must ensure their information Organizations must ensure their information

assets satisfy the requirements of quality, assets satisfy the requirements of quality, fiduciary, and securityfiduciary, and security

Page 17: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

17

ISACA’s CobiT ISACA’s CobiT cont…cont…

Domains: planning and organization, Domains: planning and organization, acquisition and implementation, delivery acquisition and implementation, delivery and support, and monitoringand support, and monitoring

Each domain consists of processesEach domain consists of processes CobiT identifies a control objectives for CobiT identifies a control objectives for

each processeseach processes New management guidelines (new addition)New management guidelines (new addition)

Page 18: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

18

Systems Reliability AssuranceSystems Reliability Assurance

American Institute of Certified Public American Institute of Certified Public Accountants (AICPA) + Canadian Institute Accountants (AICPA) + Canadian Institute of Chartered Accountants of Chartered Accountants SysTrust SysTrust

SysTrustSysTrust– Increase management, customer, supplier, and Increase management, customer, supplier, and

business partner confidence in the ITbusiness partner confidence in the IT

Page 19: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

19

Documenting It ControlsDocumenting It Controls

Internal control narrativesInternal control narratives– Text describing controls over a particular riskText describing controls over a particular risk

Flowcharts – internal control flowchartFlowcharts – internal control flowchart– Picture are easier to understand, follow and Picture are easier to understand, follow and

updateupdate IC questionnairesIC questionnaires

– Ask questions about IC over various applications, Ask questions about IC over various applications, processes, or risksprocesses, or risks

– Users or administrators would complete the Users or administrators would complete the questionnaires with yes or no answerquestionnaires with yes or no answer

Page 20: 1 Chapter Three IT Risks and Controls. 2 Lecture Outline Identifying IT Risks Identifying IT Risks Assessing IT Risks Assessing IT Risks Identifying IT

20

Monitoring IT Risks Monitoring IT Risks and Controlsand Controls

CobiT identifies several control objectives CobiT identifies several control objectives associated with monitoringassociated with monitoring– Monitoring the processesMonitoring the processes– Accessing IC adequacyAccessing IC adequacy– Obtaining independent assuranceObtaining independent assurance– Providing independent auditProviding independent audit

Need for independent assurance and audit Need for independent assurance and audit of IT controlsof IT controls