200 likes | 213 Views
Learn to identify, assess, and control IT risks effectively. Understand various types of IT risks, from security to continuity risks. Explore frameworks like COSO and CoCo, along with international IC standards. Discover audit standards, quality control measures, and ISACA’s CobiT guidelines for integrated information and IT control.
E N D
Chapter Three IT Risks and Controls
Lecture Outline • Identifying IT Risks • Assessing IT Risks • Identifying IT Controls • Documenting IT Controls • Monitoring IT Risks and Controls
Types of IT Risks • What is risk? • Chances of negative outcomes • Business risk • Likelihood that an organization will not achieve its business goals and objectives • Internal & external risk
Audit risk • Likelihood that an organization’s external auditor makes a mistake when issuing an opinion attesting to the fairness of its financial statements or • an IT auditor fails to uncover a material error of fraud.
inherent risk • Likelihood of material errors or fraud inherent in the business environment. • control risk • Likelihood that the internal control system will not prevent or detect material errors or fraud on a timely basis. • detection risk • Likelihood that audit procedures will not detect material errors or fraud on a timely basis.
Security risk • Risks associated with data access and integrity. • Physical or logical unauthorized access • Negative outcomes • Continuity risk • Risks associated with an information system’s availability and backup and recovery.
Assessing IT Risk • Threats and vulnerabilities • Identify threats or exposures • Access vulnerabilities to threats or exposures • Determine acceptable risk level • The expected value of risk • Risk indicators and risk measurement • Identify IT processes and then develop a set of risk indicators • Risk indicators would point to a need for control
Identifying IT Control • Once risks have been identified and accessed, specific controls need to be designed to control those risks. • Most widely used internal control model • COSO, • Cadbury and • CoCo
COSO (Committee of Sponsoring Organizations of the Treadway Commission) • COSO framework • Consists of a definition of internal control and identification of 5 components Internal control is broadly defined as a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Coso(Internal Control-Integrated Framework)
COSO cont.. • 5 components of Internal Control (IC) • Control environment • Attitude of management toward internal control • Risk assessment • Enterprise risk framework: guidance in developing plans to identify, measure, evaluate and respond to risks. • Control activities • Internal control procedures and policies • i.e., authorizations, approvals, passwords, and segregation of duties
COSO cont.. • Information and communication • Refer to the need for organizations to make sure they obtain and communicate the information needed to carry out management strategies and objectives • Monitoring • Continuous monitoring of internal control system by regular audits and evaluations
International IC Standards • Cadbury • Stressed that internal control encompasses both financial and operational controls and the auditors should report both. • CoCo (Canadian Criteria of Control Committee) • Similar to COSO and Cadbury • Group IC within 4 categories • Purpose criteria that relate to an organization’s missions and objectives
International IC Standards cont.. • Commitment criteria relate to ethics, policies, and corporate identity • Capability criteria that relate to the competence of an organization • Monitoring and learning criteria that concern an organization’s evolution • Other country standards • South Africa’s King Report • France’s Vienot Report
Quality Control Standards • In addition to IC, improve public conference in products and processes by adopting quality control standards • ISO 9000 series – certifies that organizations comply with documented quality standards • Six Sigma – an approach to process and quality improvement
Statements on Auditing Standards • Issued by AICPA’s Accounting Standards Board • SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 • SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit • New standards related to risk assessment
ISACA’s CobiT • Integrates IC with information and IT • Use by managers & business owners along with auditors and information users • Three dimensions: information criteria, IT processes, and IT resources • Organizations must ensure their information assets satisfy the requirements of quality, fiduciary, and security
ISACA’s CobiT cont… • Domains: planning and organization, acquisition and implementation, delivery and support, and monitoring • Each domain consists of processes • CobiT identifies a control objectives for each processes • New management guidelines (new addition)
Systems Reliability Assurance • American Institute of Certified Public Accountants (AICPA) + Canadian Institute of Chartered Accountants SysTrust • SysTrust • Increase management, customer, supplier, and business partner confidence in the IT
Documenting It Controls • Internal control narratives • Text describing controls over a particular risk • Flowcharts – internal control flowchart • Picture are easier to understand, follow and update • IC questionnaires • Ask questions about IC over various applications, processes, or risks • Users or administrators would complete the questionnaires with yes or no answer
Monitoring IT Risks and Controls CobiT identifies several control objectives associated with monitoring Monitoring the processes Accessing IC adequacy Obtaining independent assurance Providing independent audit Need for independent assurance and audit of IT controls