Transcript Chapter One - Indiana University

Chapter Three
IT Risks and Controls
1
The Risk Management Process
Identify IT
Risks
Assess IT
Risks
Monitor IT Risks
and Controls
Identify IT
Controls
Document
IT Controls
2
Types of IT Risks
Business risk
 Audit risk = IR * CR * DR

– inherent risk (IR)
– control risk (CR)
– detection risk (DR)
Security risk
 Continuity risk

3
Assessing IT Risk

Threats and vulnerabilities
Risk (residual risk) =
+ Expected value of risk (Asset Value * Risk Likelihood)
– Percentage of risk mitigated by the current controls
+ Uncertainty of knowledge about the vulnerability

Risk indicators and risk measurement
– Risks relative to IT processes
4
Valuation of Asset

Assets: People, Data, Hardware, Software,
Facilities, (Procedures)

Valuation Methods
–
–
–
–
–
–
Criticallity to the organization’s success
Revenue generated
Profitability
Cost to replace
Cost to protect
Embarrassment/Liability
5
Internal Control (IC)

COSO – 5 components of IC
–
–
–
–
–

Control environment
Risk assessment
Control activities
Information and communication
Monitoring
International IC Standards
– Cadbury
– CoCo
– Other country standards
6
Quality Control Standards
ISO 9000 series – certifies that
organizations comply with documented
quality standards
 Six Sigma – an approach to process and
quality improvement

7
Statements on
Auditing Standards
Issued by AICPA’s Accounting Standards
Board
 SAS 78 Consideration of IC in a Financial
Statement Audit: An Amendment to SAS No.
55
 SAS 94 The Effect of IT on the Auditor’s
Consideration of IC in a Financial
Staetment Audit
 New standards related to risk assessment

8
ISACA’s CobiT




Integrates IC with information and IT
Three dimensions: information criteria, IT
processes, and IT resources
Requirements (information criteria) of quality,
fiduciary, and security
Organizes IT internal control into domains and
processes
– Domains: planning and organization, acquisition and
implementation, delivery and support, and monitoring
– Processes detail steps in each domain
9
IT Control Domains and
Processes
10
IT Controls

COSO identifies two groups of IT controls:
– Application controls – apply to specific
applications and programs, and ensure data
validity, completeness and accuracy
– General controls – apply to all systems and
address IT governance and infrastructure, security
of operating systems and databases, and
application and program acquisition and
development
A574 Internal Controls For Business
11
Segregation of Duties
Transaction
authorization is separate from
transaction processing.
Asset custody is separate from record-keeping
responsibilities.
The tasks needed to process the transactions are
subdivided so that fraud requires collusion.
A574 Internal Controls For Business
12
Separation of Duties within IS
13
Classification of Controls
Preventive
Controls: Issue is prevented from
occurring – cash receipts are immediately
deposited to avoid loss
Detective Controls: Issue is discovered –
unauthorized disbursement is discovered
during reconciliation
Corrective Controls: issue is corrected –
erroneous data is entered in the system and
reported on an error and summary report; a
clerk re-enters the data
14
Application Control Goals
For business event inputs, ensure
– Input validity
– Input completeness
– Input accuracy
 For master data, ensure
– Update completeness
– Update accuracy

15
Application Control Goals

Input validity
– Input data approved and represent actual
economic events and objects

Input completeness
– Requires that all valid events or objects be
captured and entered into the system

Input Accuracy
– Requires that events be correctly captured and
entered into the system
16
Systems Reliability Assurance
SysTrust
 WebTrust
 New AICPA Trust Principles

17
Documenting IT Controls
Internal control narratives
 Flowcharts – internal control flowchart
 IC questionnaires

18
Risk Control Strategies

Avoidance
– Policy, Training and Education, or Technology

Transference – shifting the risk to other assets,
processes, or organizations (insurance,
outsourcing, etc.)

Mitigation – reducing the impact through
planning and preparation

Acceptance – doing nothing if the cost of
protection does not justify the expense of the
control
19
Monitoring IT Risks
and Controls
CobiT control objectives associated with
monitoring and evaluation
 Need for independent assurance and audit
of IT controls

20
21