IT Risks and Controls

Revised on 2014

Content

• Internal Control

What is internal control?

Objectives of internal controls

Types of internal controls

Elements of internal controls

Categories of internal controls

• Risk

Risk management control

Types of risk

Risk IT framework by ISACA

CIS

B424, Sulfeeza

Internal Control

Any action taken by management to enhance the likehood that established objectives and goals will be achieved

(Source: Cascarino, 2012)

Objectives and goals of an organization can be divided into:a) Corporate objectives – the statement of corporate

intentb) Management objectives – how the corporate objectives

will be met

CIS

B424, Sulfeeza

Internal Control

Whose responsibility?• Management is responsible to ensure that

controls are properly planned, organized and directed

a) Planning – establishing control objectives, goals and choosing the preferred method of utilizing resources

b) Organizing – gathering the required resources and arranging them so that objectives may be attained

c) Directing – authorizing, instructing and monitoring performance

CIS

B424, Sulfeeza

Objectives of Internal Control

1. Reliability and integrity of information2. Compliance with policies, plans,

procedures, laws and regulations3. Safeguarding assets4. Effectiveness and efficiency of

operations

CIS

B424, Sulfeeza

Types of Internal Control1. Preventive controls – Steps designed to keep

errors or irregularities from occurring in the first place

2. Detective controls – steps designed to detect errors or irregularities that may have occurred

3. Corrective controls - steps designed to correcterrors or irregularities that have been detected

4. Directive controls – steps designed to produce positive results and encourage acceptable behaviors

5. Compensating controls – a weakness in one control may be compensated by another control elsewhere

(Source: Cascarino, 2012; https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf)

CIS

B424, Sulfeeza

Elements of Internal Control

Management must ensure the followings when designing internal controls: 1. Segregation of duties2. Competence and integrity of people3. Appropriate level of authority4. Accountability5. Adequate resources6. Supervision and review

(Source: Cascarino, 2012)

CIS

B424, Sulfeeza

Limitations of Internal Control1. Judgment

2. Breakdowns

3. Management Override

4. Collusion

(Source: https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf)

CIS

B424, Sulfeeza

Categories of IT controls

• Objectives of IT controls are related to the confidentiality, integrity, availabilityof data and the overall management of IT function in an organization

• IT controls can be categorized as:1. IT general controls 2. IT application controls

(Source: Wikipedia)

CIS

B424, Sulfeeza

IT General Controls

• Helps to ensure the reliability of data generated by IT systems

• Areas included:1. General IT controls2. Computer operations3. Physical security4. Logical security5. Program change control6. Systems development

(Source: Cascarion, 2012, Wikipedia)

CIS

B424, Sulfeeza

IT Application Controls

• Helps to ensure the completeness and accuracy of data processing, from input to output

• Among the controls that can be implemented:1. Completeness check2. Validity check3. Identification4. Authentication5. Authorization6. Input controls7. Forensic controls

(Source: Wikipedia)

CIS

B424, Sulfeeza

Policies

IT Standards

Management and Organization

Physical and Environmental Controls

Systems Software Controls

Systems Development Controls

Application – based controls

IT General and Application Controls

Hierarchy

Govern

ance

Managem

ent

Technic

al

CIS

B424, Sulfeeza

RisksA probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action

(Source: BusinessDictionary.com)

CIS

B424, Sulfeeza

Risks

So what are threat and vulnerabilities?• Threat – A possible danger that might exploit a vulnerability to breach security and thus cause possible harm (Source: Wikipedia)

• Vulnerabilities - A weakness of an asset orgroup of assets that can be exploited by oneor more threats

(Source: ISO)

CIS

B424, Sulfeeza

Types of Risks1. Business Risk – The possibility that a company will

have lower than anticipated profits, or that it will experience a loss rather than a profit (Source: Investopedia)

2. Audit Risk a) Inherent Risk – The probability of loss arising out

of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances (Source: BusinessDictionary.com)

b) Control Risk – The likelihood that the control processes established to manage inherent risk are proved to be ineffective (Source: Cascariona, 2012)

c) Residual Risk – The risk that significant business exposures have not been adequately addressed by the audit process (Source: Cascariona, 2012)

3. Continuity Risk – The possibility that a company

will not be able to continue its operations due to weakness in control

CIS

B424, Sulfeeza

IT Risks

The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence (Source: ISO)

CIS

B424, Sulfeeza

Categories of IT Risks

1. IT service delivery risk - associated with the performance and availability of IT services

2. IT solution delivery/benefit realization risk - associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs

3. IT benefit realization risk - associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or to use technology as an enabler for new business initiatives

CIS

B424, Sulfeeza

Risk Management

The process which aims to help organizations to understand, evaluateand take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure

(Source: Institute of Risk Management)

CIS

B424, Sulfeeza

Risk IT Framework

CIS

B424, Sulfeeza

Domains of Risk IT Framework

a)Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.

b)Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms.

c)Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.

CIS

B424, Sulfeeza

Domains of Risk IT Framework

a)Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.

b)Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms.

c)Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.

CIS

B424, Sulfeeza