1 / 20

Chapter Three

Chapter Three. IT Risks and Controls. Lecture Outline. Identifying IT Risks Assessing IT Risks Identifying IT Controls Documenting IT Controls Monitoring IT Risks and Controls. Types of IT Risks. What is risk? Chances of negative outcomes Business risk

samgomez
Download Presentation

Chapter Three

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter Three IT Risks and Controls

  2. Lecture Outline • Identifying IT Risks • Assessing IT Risks • Identifying IT Controls • Documenting IT Controls • Monitoring IT Risks and Controls

  3. Types of IT Risks • What is risk? • Chances of negative outcomes • Business risk • Likelihood that an organization will not achieve its business goals and objectives • Internal & external risk

  4. Audit risk • Likelihood that an organization’s external auditor makes a mistake when issuing an opinion attesting to the fairness of its financial statements or • an IT auditor fails to uncover a material error of fraud.

  5. inherent risk • Likelihood of material errors or fraud inherent in the business environment. • control risk • Likelihood that the internal control system will not prevent or detect material errors or fraud on a timely basis. • detection risk • Likelihood that audit procedures will not detect material errors or fraud on a timely basis.

  6. Security risk • Risks associated with data access and integrity. • Physical or logical unauthorized access • Negative outcomes • Continuity risk • Risks associated with an information system’s availability and backup and recovery.

  7. Assessing IT Risk • Threats and vulnerabilities • Identify threats or exposures • Access vulnerabilities to threats or exposures • Determine acceptable risk level • The expected value of risk • Risk indicators and risk measurement • Identify IT processes and then develop a set of risk indicators • Risk indicators would point to a need for control

  8. Identifying IT Control • Once risks have been identified and accessed, specific controls need to be designed to control those risks. • Most widely used internal control model • COSO, • Cadbury and • CoCo

  9. COSO (Committee of Sponsoring Organizations of the Treadway Commission) • COSO framework • Consists of a definition of internal control and identification of 5 components Internal control is broadly defined as a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Coso(Internal Control-Integrated Framework)

  10. COSO cont.. • 5 components of Internal Control (IC) • Control environment • Attitude of management toward internal control • Risk assessment • Enterprise risk framework: guidance in developing plans to identify, measure, evaluate and respond to risks. • Control activities • Internal control procedures and policies • i.e., authorizations, approvals, passwords, and segregation of duties

  11. COSO cont.. • Information and communication • Refer to the need for organizations to make sure they obtain and communicate the information needed to carry out management strategies and objectives • Monitoring • Continuous monitoring of internal control system by regular audits and evaluations

  12. International IC Standards • Cadbury • Stressed that internal control encompasses both financial and operational controls and the auditors should report both. • CoCo (Canadian Criteria of Control Committee) • Similar to COSO and Cadbury • Group IC within 4 categories • Purpose criteria that relate to an organization’s missions and objectives

  13. International IC Standards cont.. • Commitment criteria relate to ethics, policies, and corporate identity • Capability criteria that relate to the competence of an organization • Monitoring and learning criteria that concern an organization’s evolution • Other country standards • South Africa’s King Report • France’s Vienot Report

  14. Quality Control Standards • In addition to IC, improve public conference in products and processes by adopting quality control standards • ISO 9000 series – certifies that organizations comply with documented quality standards • Six Sigma – an approach to process and quality improvement

  15. Statements on Auditing Standards • Issued by AICPA’s Accounting Standards Board • SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 • SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit • New standards related to risk assessment

  16. ISACA’s CobiT • Integrates IC with information and IT • Use by managers & business owners along with auditors and information users • Three dimensions: information criteria, IT processes, and IT resources • Organizations must ensure their information assets satisfy the requirements of quality, fiduciary, and security

  17. ISACA’s CobiT cont… • Domains: planning and organization, acquisition and implementation, delivery and support, and monitoring • Each domain consists of processes • CobiT identifies a control objectives for each processes • New management guidelines (new addition)

  18. Systems Reliability Assurance • American Institute of Certified Public Accountants (AICPA) + Canadian Institute of Chartered Accountants  SysTrust • SysTrust • Increase management, customer, supplier, and business partner confidence in the IT

  19. Documenting It Controls • Internal control narratives • Text describing controls over a particular risk • Flowcharts – internal control flowchart • Picture are easier to understand, follow and update • IC questionnaires • Ask questions about IC over various applications, processes, or risks • Users or administrators would complete the questionnaires with yes or no answer

  20. Monitoring IT Risks and Controls CobiT identifies several control objectives associated with monitoring Monitoring the processes Accessing IC adequacy Obtaining independent assurance Providing independent audit Need for independent assurance and audit of IT controls

More Related