Risk Management. IT Controls Risk management process Risk management process IT controls IT controls...
-
Upload
eustace-francis -
Category
Documents
-
view
241 -
download
2
Transcript of Risk Management. IT Controls Risk management process Risk management process IT controls IT controls...
Risk ManagementRisk Management
IT ControlsIT Controls
Risk management processRisk management process
IT controlsIT controls
IT Governance FrameworksIT Governance Frameworks
2
3
The Risk Management ProcessThe Risk Management ProcessIdentify IT
Risks
Assess IT Risks
Identify IT Controls
Document IT Controls
Monitor IT Risks and Controls
4
IT and Transaction ProcessingIT and Transaction Processing
The IS collects transaction dataThe IS collects transaction data
The IS turns data into informationThe IS turns data into information
Computerized transactions systems increase Computerized transactions systems increase some risks and decrease otherssome risks and decrease others
5
AIS Threat ExamplesAIS Threat Examples
FraudFraud Computer crimesComputer crimes Nonconformity with agreements & Nonconformity with agreements &
contracts between the organization & third contracts between the organization & third partiesparties
Violations of intellectual property rights Violations of intellectual property rights Noncompliance with other regulations & Noncompliance with other regulations &
laws.laws.
6
Types of IT RisksTypes of IT Risks
Business riskBusiness risk Audit risk = IR * CR * DRAudit risk = IR * CR * DR
– inherent risk (IR)inherent risk (IR)– control risk (CR)control risk (CR)– detection risk (DR)detection risk (DR)
Security riskSecurity risk Continuity riskContinuity risk
7
Valuation of AssetValuation of AssetWhat do we stand to lose?What do we stand to lose?
Assets: People, Data, Hardware, Software, Assets: People, Data, Hardware, Software, Facilities, (Procedures)Facilities, (Procedures)
Valuation MethodsValuation Methods– Criticallity to the organization’s successCriticallity to the organization’s success– Revenue generatedRevenue generated– ProfitabilityProfitability– Cost to replaceCost to replace– Cost to protectCost to protect– Embarrassment/LiabilityEmbarrassment/Liability
8
9
IT ControlsIT Controls COSO identifies two groups of IT controls:COSO identifies two groups of IT controls:
– Application controls – Application controls – apply to specific apply to specific applications and programs, andapplications and programs, and ensure data ensure data validity, completeness and accuracyvalidity, completeness and accuracy
– General controls – General controls – apply to all systems and apply to all systems and address IT governance and infrastructure, security address IT governance and infrastructure, security of operating systems and databases, and of operating systems and databases, and application and program acquisition and application and program acquisition and development development
10
Application Control GoalsApplication Control Goals
Input validityInput validity– Input data approved and represent actual Input data approved and represent actual
economic events and objectseconomic events and objects Input completenessInput completeness
– Requires that all valid events or objects be Requires that all valid events or objects be captured and entered into the systemcaptured and entered into the system
Input AccuracyInput Accuracy– Requires that events be correctly captured and Requires that events be correctly captured and
entered into the systementered into the system
11
Classification of ControlsClassification of ControlsPreventive Controls: Issue is prevented from Preventive Controls: Issue is prevented from
occurring – cash receipts are immediately occurring – cash receipts are immediately deposited to avoid lossdeposited to avoid loss
Detective Controls: Issue is discovered – Detective Controls: Issue is discovered – unauthorized disbursement is discovered unauthorized disbursement is discovered during reconciliationduring reconciliation
Corrective Controls: issue is corrected – Corrective Controls: issue is corrected – erroneous data is entered in the system and erroneous data is entered in the system and reported on an error and summary report; a reported on an error and summary report; a clerk re-enters the dataclerk re-enters the data
12
Segregation of DutiesSegregation of Duties
Transaction authorization is separate from Transaction authorization is separate from transaction processing.transaction processing.
Asset custody is separate from record-keeping Asset custody is separate from record-keeping responsibilities.responsibilities.
The tasks needed to process the transactions are The tasks needed to process the transactions are subdivided so that fraud requires collusion.subdivided so that fraud requires collusion.
13
Separation of Duties within ISSeparation of Duties within IS
14
Documenting IT ControlsDocumenting IT Controls
Internal control narrativesInternal control narratives Flowcharts – internal control flowchartFlowcharts – internal control flowchart IC questionnairesIC questionnaires
15
Risk Control StrategiesRisk Control Strategies AvoidanceAvoidance
– Policy, Training and Education, or TechnologyPolicy, Training and Education, or Technology
TransferenceTransference – – shifting the risk to other assets, shifting the risk to other assets, processes, or organizations (insurance, processes, or organizations (insurance, outsourcing, etc.)outsourcing, etc.)
MitigationMitigation – – reducing the impact through reducing the impact through planning and preparationplanning and preparation
AcceptanceAcceptance – – doing nothingdoing nothing if the cost of if the cost of protection does not justify the expense of the protection does not justify the expense of the controlcontrol
16
Monitoring IT Risks Monitoring IT Risks and Controlsand Controls
CobiT control objectives associated with CobiT control objectives associated with monitoring and evaluationmonitoring and evaluation
Need for independent assurance and audit Need for independent assurance and audit of IT controlsof IT controls
17
18
IT GovernanceIT Governance……the process for controlling an organization’s the process for controlling an organization’s IT resources, including information and IT resources, including information and communication systems, and technology. communication systems, and technology.
……using IT to promote an organization’s using IT to promote an organization’s objectives and enable business processes and objectives and enable business processes and to manage and control IT related risks.to manage and control IT related risks.
IT Auditors ensure IT governance by assessing IT Auditors ensure IT governance by assessing risks and monitoring controls over those risksrisks and monitoring controls over those risks
19
COSO and Internal Control (IC)COSO and Internal Control (IC)
COSO – 5 components of IC COSO – 5 components of IC – Control environmentControl environment– Risk assessmentRisk assessment– Control activitiesControl activities– Information and communicationInformation and communication– MonitoringMonitoring
International IC StandardsInternational IC Standards– CadburyCadbury– CoCoCoCo– Other country standardsOther country standards
20
ISACA’s CobiTISACA’s CobiT Integrates IC with information and ITIntegrates IC with information and IT Three dimensions: information criteria, IT Three dimensions: information criteria, IT
processes, and IT resourcesprocesses, and IT resources Requirements (information criteria) of quality, Requirements (information criteria) of quality,
fiduciary, and securityfiduciary, and security Organizes IT internal control into domains and Organizes IT internal control into domains and
processesprocesses– Domains: planning and organization, acquisition and Domains: planning and organization, acquisition and
implementation, delivery and support, and monitoringimplementation, delivery and support, and monitoring
– Processes detail steps in each domainProcesses detail steps in each domain
21
IT Control Domains and IT Control Domains and ProcessesProcesses
22
What do IT auditors do?What do IT auditors do?
Ensure IT governance by assessing risks Ensure IT governance by assessing risks and monitoring controls over those risksand monitoring controls over those risks
Works as either internal or external auditorWorks as either internal or external auditor
Works on many kind of audit engagementsWorks on many kind of audit engagements