1 / 25

Application-level IT Risk Assessment

Application-level IT Risk Assessment. ISACA Denver Chapter Meeting February 21, 2008. Kerry L. Shackelford KLS Consulting LLC. Outline. Why this topic? SEC interpretive guidance ABC’s implementation approach Design of the ITRA model Model walk-through / Q&A.

kitra
Download Presentation

Application-level IT Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Application-level IT Risk Assessment ISACA Denver Chapter Meeting February 21, 2008 Kerry L. Shackelford KLS Consulting LLC

  2. Outline • Why this topic? • SEC interpretive guidance • ABC’s implementation approach • Design of the ITRA model • Model walk-through / Q&A

  3. Why This Topic?GRC Spending Skyrockets

  4. Why This Topic?US Congress Responds

  5. Why This Topic?Corporate Outcry Begins “The first-year implementation of new requirements for public companies’ internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.” Journal of Accountancy, Two Years and Counting, June 2007

  6. Why This Topic?Fix: Audit Firms • Per the PCAOB Policy statement issued 5/16/05, the auditors should— • Integrate their audits • Tailor audit plans to their client’s risks • Use a top-down approach • Use the work of others • Communicate directly and timely with clients

  7. Why This Topic?SOX Year Two - 2005

  8. Why This Topic?Corporate Outcry (Cont) The average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began. Source: “Second Anniversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services, www.issproxy.com

  9. Why This Topic?Fix: Issuer (& Audit Firms)

  10. SEC Interpretive GuidanceFor Issuer Management • Guidance Regarding Management’s Report on Internal Control Over Financial Reporting • Effective Date: June 27, 2007 • www.sec.gov/rules/interp/2007/33-8810.pdf • ACTION: Interpretation.

  11. SEC Interpretive GuidanceUnderlying Principles • Management should: • Evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. • Base its assessment of risk on the evaluation of evidence about the operation of its controls.

  12. SEC Interpretive GuidanceBenefits

  13. ITRAOverview - Approach Use risk factors (risk assessment evaluation criteria) to assess the level of inherent risk and control risk for each application system. Use the resultant risk ratings to determine the level of overall risk according to the Company's methodology. Use the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures to be applied.

  14. ITRAModel Walk-Through

  15. ITRARun Settings Assignment of point values to risk factors Break points which define Low, Medium, and High risk applications Excluding risk factor categories from results Excluding missing / unknown data

  16. ITRARisk Factors • Information Categories • APPL (Application Systems) • ADOS (Application / Database Server Operating Systems • DBMS (Data Base Management Systems) • Plus basic APPL information • Bias towards objective vs subjective evaluation criteria

  17. ITRAAPPL Basic Information • Name • SOX-Indicator-IC-Dept • Vendor-Name • Original-Implementation-Date • Major-Release-Implementation-Date • Software-Version • Support-Source • Infrastructure Management-Source • App-Server-OS-Vendor, Product, Version, & SP-Level • DB-Server-OS-Vendor, Product, Version, & SP-Level • DB-DBMS-Vendor, Product, Version, & SP-Level

  18. ITRAAPPL Risk Factors (1 of 2) • Vendor-Reputation • Months-Post-Original-Implementation-Date • Months-Post-Major-Release-Date • Version-Supported • Users-Count • Customization • User-Configurable • Simple-or-Complex-Logic • Interfaces-Total-Count • Interfaces-Manual-Count • Changes-Count-Normal • Changes-Count-Emergency • Failures-Count • Restores-Count

  19. ITRAAPPL Risk Factors (2 of 2) • Gaps-Security-Count • Gaps-Changes-Count • Gaps-QAAR-Count • Gaps-SOD-Count • Gaps-Other-Count • Outages-Count-Days • Outages-Hours • Processes-Supported-Count • BP-Risk-Average-Inherent • Materiality-I-Count • Materiality-G-Count • Materiality-S-Count • IT Tier

  20. ITRAADOS Risk Factors • Outsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-Major • App Server OS-Vendor-Reputation • DB Server OS-Vendor-Reputation • App Server OS-Version-Supported • DB Server OS-Version-Supported • Changes-Count • Failures-Count • Gaps-Security-Count • Gaps-Changes-Count • Gaps-QOSR-Count • Gaps-Other-Count • Production-Server-Count

  21. ITRADBMS Risk Factors • Vendor-Reputation • Version-Supported • Changes-Count • Failures-Count • Gaps-Security-Count • Gaps-Changes-Count • Gaps-QDBR-Count • Gaps-Other-Count

  22. ITRAModel Walk-Through (cont)

  23. ITRAMajor Data Sources • IC Department • APPL Lists • CMS Reports • APPL Narratives • Detailed Assessment • ITGC Documentation • Gap Logs • Evaluator Judgment • Internet Research • IT Department • APPL Lists • Infrastructure Lists • Change Records • Outage Reports • Problem Reports • Outsourcers • SAS 70 Reports • Change Records • Problem Reports

  24. Q&A Kerry L. Shackelford720-839-6359Kerry@KLSConsultingLLC.com

More Related