Embed Size (px)
Citation preview
1
Chapter ThreeChapter Three
IT Risks and ControlsIT Risks and Controls
2
The Risk Management ProcessThe Risk Management ProcessIdentify IT
Risks
Assess IT Risks
Identify IT Controls
Document IT Controls
Monitor IT Risks and Controls
3
Types of IT RisksTypes of IT Risks
Business riskBusiness risk Audit risk = IR * CR * DRAudit risk = IR * CR * DR
– inherent risk (IR)inherent risk (IR)– control risk (CR)control risk (CR)– detection risk (DR)detection risk (DR)
Security riskSecurity risk Continuity riskContinuity risk
4
Assessing IT RiskAssessing IT Risk
Threats and vulnerabilitiesThreats and vulnerabilitiesRisk (residual risk) =Risk (residual risk) =+ Expected value of risk (Expected value of risk (Asset Value * Risk LikelihoodAsset Value * Risk Likelihood) ) – Percentage of risk mitigated by the current controlsPercentage of risk mitigated by the current controls+ Uncertainty of knowledge about the vulnerabilityUncertainty of knowledge about the vulnerability
Risk indicators and risk measurement Risk indicators and risk measurement – Risks relative to IT processesRisks relative to IT processes
5
Valuation of AssetValuation of Asset
Assets: People, Data, Hardware, Software, Assets: People, Data, Hardware, Software, Facilities, (Procedures)Facilities, (Procedures)
Valuation MethodsValuation Methods– Criticallity to the organization’s successCriticallity to the organization’s success– Revenue generatedRevenue generated– ProfitabilityProfitability– Cost to replaceCost to replace– Cost to protectCost to protect– Embarrassment/LiabilityEmbarrassment/Liability
6
Internal Control (IC)Internal Control (IC)
COSO – 5 components of IC COSO – 5 components of IC – Control environmentControl environment– Risk assessmentRisk assessment– Control activitiesControl activities– Information and communicationInformation and communication– MonitoringMonitoring
International IC StandardsInternational IC Standards– CadburyCadbury– CoCoCoCo– Other country standardsOther country standards
7
Quality Control StandardsQuality Control Standards
ISO 9000 series – certifies that ISO 9000 series – certifies that organizations comply with documented organizations comply with documented quality standardsquality standards
Six Sigma – an approach to process and Six Sigma – an approach to process and quality improvementquality improvement
8
Statements on Statements on Auditing StandardsAuditing Standards
Issued by AICPA’s Accounting Standards Issued by AICPA’s Accounting Standards BoardBoard
SAS 78 SAS 78 Consideration of IC in a Financial Consideration of IC in a Financial Statement Audit: An Amendment to SAS Statement Audit: An Amendment to SAS No. 55No. 55
SAS 94 SAS 94 The Effect of IT on the Auditor’s The Effect of IT on the Auditor’s Consideration of IC in a Financial Consideration of IC in a Financial Staetment AuditStaetment Audit
New standards related to risk assessmentNew standards related to risk assessment
9
ISACA’s CobiTISACA’s CobiT Integrates IC with information and ITIntegrates IC with information and IT Three dimensions: information criteria, IT Three dimensions: information criteria, IT
processes, and IT resourcesprocesses, and IT resources Requirements (information criteria) of quality, Requirements (information criteria) of quality,
fiduciary, and securityfiduciary, and security Organizes IT internal control into domains and Organizes IT internal control into domains and
processesprocesses– Domains: planning and organization, acquisition and Domains: planning and organization, acquisition and
implementation, delivery and support, and monitoringimplementation, delivery and support, and monitoring
– Processes detail steps in each domainProcesses detail steps in each domain
10
IT Control Domains and IT Control Domains and ProcessesProcesses
11
IT ControlsIT Controls COSO identifies two groups of IT controls:COSO identifies two groups of IT controls:
– Application controls – Application controls – apply to specific apply to specific applications and programs, andapplications and programs, and ensure data ensure data validity, completeness and accuracyvalidity, completeness and accuracy
– General controls – General controls – apply to all systems and apply to all systems and address IT governance and infrastructure, security address IT governance and infrastructure, security of operating systems and databases, and of operating systems and databases, and application and program acquisition and application and program acquisition and development development
A574 Internal Controls For Business
12
Segregation of DutiesSegregation of Duties
Transaction authorization is separate from Transaction authorization is separate from transaction processing.transaction processing.
Asset custody is separate from record-keeping Asset custody is separate from record-keeping responsibilities.responsibilities.
The tasks needed to process the transactions are The tasks needed to process the transactions are subdivided so that fraud requires collusion.subdivided so that fraud requires collusion.
A574 Internal Controls For Business
13
Separation of Duties within ISSeparation of Duties within IS
14
Classification of ControlsClassification of ControlsPreventive Controls: Issue is prevented from Preventive Controls: Issue is prevented from
occurring – cash receipts are immediately occurring – cash receipts are immediately deposited to avoid lossdeposited to avoid loss
Detective Controls: Issue is discovered – Detective Controls: Issue is discovered – unauthorized disbursement is discovered unauthorized disbursement is discovered during reconciliationduring reconciliation
Corrective Controls: issue is corrected – Corrective Controls: issue is corrected – erroneous data is entered in the system and erroneous data is entered in the system and reported on an error and summary report; a reported on an error and summary report; a clerk re-enters the dataclerk re-enters the data
15
Application Control GoalsApplication Control Goals For business event inputs, ensureFor business event inputs, ensure
– Input validityInput validity– Input completenessInput completeness– Input accuracyInput accuracy
For master data, ensureFor master data, ensure– Update completenessUpdate completeness– Update accuracyUpdate accuracy
16
Application Control GoalsApplication Control Goals Input validityInput validity
– Input data approved and represent actual Input data approved and represent actual economic events and objectseconomic events and objects
Input completenessInput completeness– Requires that all valid events or objects be Requires that all valid events or objects be
captured and entered into the systemcaptured and entered into the system Input AccuracyInput Accuracy
– Requires that events be correctly captured and Requires that events be correctly captured and entered into the systementered into the system
17
Systems Reliability AssuranceSystems Reliability Assurance
SysTrustSysTrust WebTrustWebTrust New AICPA Trust PrinciplesNew AICPA Trust Principles
18
Documenting IT ControlsDocumenting IT Controls
Internal control narrativesInternal control narratives Flowcharts – internal control flowchartFlowcharts – internal control flowchart IC questionnairesIC questionnaires
19
Risk Control StrategiesRisk Control Strategies AvoidanceAvoidance
– Policy, Training and Education, or TechnologyPolicy, Training and Education, or Technology
TransferenceTransference – – shifting the risk to other assets, shifting the risk to other assets, processes, or organizations (insurance, processes, or organizations (insurance, outsourcing, etc.)outsourcing, etc.)
MitigationMitigation – – reducing the impact through reducing the impact through planning and preparationplanning and preparation
AcceptanceAcceptance – – doing nothingdoing nothing if the cost of if the cost of protection does not justify the expense of the protection does not justify the expense of the controlcontrol
20
Monitoring IT Risks Monitoring IT Risks and Controlsand Controls
CobiT control objectives associated with CobiT control objectives associated with monitoring and evaluationmonitoring and evaluation
Need for independent assurance and audit Need for independent assurance and audit of IT controlsof IT controls
21
