This Lecture Covers

•

IT Control Frameworks

•

• •

Liberating Control from Fin Reptg

ITCG COBIT New frameworks such as AICPA/CICA SysTrust Principles and Criteria for Systems Reliability

Control Frameworks

CICA

Control Issues Responsibility for Risk Management and Control Information Technology Planning etc Control Objectives Minimum Control Standards

A B C D etc etc A1 A2 B1 etc etc etc etc etc etc

etc. etc.

ISACA

• • • • • • Introduced CoBIT, CoBIT2, CoBIT3 (2000) Emphasized IT controls Identifies 34 high level control objectives Has 302 recommended detail control objectives Complex to use Becoming widely accepted

ISACA

ISACA

Comparison of Control Models

COCO COSO Environment SYSTRUST v. 3 Purpose Commitment Policies Risk Assessment Control Activities Information & Communication Capability Communication Procedures Monitoring & Learning Monitoring & Learning Monitoring

Control environment

• • • Management philosophy and operating style attitudes toward financial reporting. risk taking, meeting budgets etc. - these have a significant impact on the control structure Organizational structure consider form and nature of org. units and assign authority and responsibility appropriately Audit committee - should have an active one

Control environment (cont’d)

• • • • • Effective methods to communicate and assign responsibility Effective management control methods Proper system development methodology - for developing and modifying systems and procedures, including programs Effective personnel methods - hiring, firing, evaluating, promoting and compensating External controls - such as regulatory agencies

Risk Assessment

objectives/ requirements of users, regulators and other stakeholders (e.g., availability, integrity & maintainability by anticipating/ forecasting threats that can lead to



system errors, faults, failures



controls/ countermeas ures to deter, prevent, detect and correct unacceptable errors, faults and tolerate acceptable errors, faults and failures

Risk Assessment

• • • Categories of exposures (1) potential disasters such as interruption, loss of data, material inaccuracies, manipulation, and (2) competitive disadvantage - loss of position, inefficient use of IT, excessive technology expenditures, etc.

Exposure weights distinguish the severity of different types of consequences frauds vs. errors - one may be more significant than other at any time (frauds due to mgmt. override are severe or continuing error because of control weakness may be worse at times) Risk and magnitude must be assessed before preventive/detective controls introduced

Risk Assessment

Identify Sources of Exposures and Degrees of Risk Infra structure Software People Procedures Data Policy Availability Security Integrity Maintain ability Communication Procedures Monitoring Policy Communication Procedures Monitoring Policy Communication Procedures Monitoring Policy Communication Procedures Monitoring

Risk Assessment

Warning signs in systems that problems exist include • recurring system outages • constant redoing of apps • repeated requests for hardware replacements • recurring system conversions • rapidly growing budget • excessive reliance on outsiders • high staff turnover • no long term plans • continual dissatisfaction with info • persistent errors • hard to communicate with IT personnel

Risk Assessment

Strategies for Dealing with Risks

•

need to reduce risk to acceptable level - never achieve 0 comparing costs/benefits

• •

use of deterrent, directive, preventive controls assess probability of loss occurring from exposure

•

prob. of control system failure - can’t prevent all errors

• •

determine potential size of loss consequences use weighted exposure - assess prob * loss * importance

•

use of detective controls - maximize chance at detection

Control Activities

• • • • Performance reviews - comparison of actual versus budget, analyses and follow-ups; corrective action Information processing - general and application controls Physical controls - asset safeguarding, access controls, periodic counts and reconciliations of assets/records Segregation of duties authorizing recording custody

Information & Communication

• Information - methods and records to: identify and record all valid transactions properly classify transactions measure value record in proper time period present/disclose in f/s • Communication - roles and responsibilities

Monitoring and Learning

• • • • • • Monitoring - by management is critical Internal and external monitoring (customers, suppliers, etc.) CIO, CTO Steering committee to represent all key areas Internal audit, external audit External intelligence gathering firms such as Gartner, Forrester, Jupiter, etc.

Limitations of Internal Control

• • • Circumvention by collusion or management override Cost/benefit trade-offs: operating efficiency vs. complex controls Changing conditions that may cause deterioration • • Materiality limits Reliance on human judgement in design and implementation of controls