Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.

Risk ManagementRisk Management

IT ControlsIT Controls

Risk management processRisk management process

IT controlsIT controls

IT Governance FrameworksIT Governance Frameworks

2

3

The Risk Management ProcessThe Risk Management ProcessIdentify IT

Risks

Assess IT Risks

Identify IT Controls

Document IT Controls

Monitor IT Risks and Controls

4

IT and Transaction ProcessingIT and Transaction Processing

The IS collects transaction dataThe IS collects transaction data

The IS turns data into informationThe IS turns data into information

Computerized transactions systems increase Computerized transactions systems increase some risks and decrease otherssome risks and decrease others

5

AIS Threat ExamplesAIS Threat Examples

FraudFraud Computer crimesComputer crimes Nonconformity with agreements & Nonconformity with agreements &

contracts between the organization & third contracts between the organization & third partiesparties

Violations of intellectual property rights Violations of intellectual property rights Noncompliance with other regulations & Noncompliance with other regulations &

laws.laws.

6

Types of IT RisksTypes of IT Risks

Business riskBusiness risk Audit risk = IR * CR * DRAudit risk = IR * CR * DR

– inherent risk (IR)inherent risk (IR)– control risk (CR)control risk (CR)– detection risk (DR)detection risk (DR)

Security riskSecurity risk Continuity riskContinuity risk

7

Valuation of AssetValuation of AssetWhat do we stand to lose?What do we stand to lose?

Assets: People, Data, Hardware, Software, Assets: People, Data, Hardware, Software, Facilities, (Procedures)Facilities, (Procedures)

Valuation MethodsValuation Methods– Criticallity to the organization’s successCriticallity to the organization’s success– Revenue generatedRevenue generated– ProfitabilityProfitability– Cost to replaceCost to replace– Cost to protectCost to protect– Embarrassment/LiabilityEmbarrassment/Liability

8

9

IT ControlsIT Controls COSO identifies two groups of IT controls:COSO identifies two groups of IT controls:

– Application controls – Application controls – apply to specific apply to specific applications and programs, andapplications and programs, and ensure data ensure data validity, completeness and accuracyvalidity, completeness and accuracy

– General controls – General controls – apply to all systems and apply to all systems and address IT governance and infrastructure, security address IT governance and infrastructure, security of operating systems and databases, and of operating systems and databases, and application and program acquisition and application and program acquisition and development development

10

Application Control GoalsApplication Control Goals

Input validityInput validity– Input data approved and represent actual Input data approved and represent actual

economic events and objectseconomic events and objects Input completenessInput completeness

– Requires that all valid events or objects be Requires that all valid events or objects be captured and entered into the systemcaptured and entered into the system

Input AccuracyInput Accuracy– Requires that events be correctly captured and Requires that events be correctly captured and

entered into the systementered into the system

11

Classification of ControlsClassification of ControlsPreventive Controls: Issue is prevented from Preventive Controls: Issue is prevented from

occurring – cash receipts are immediately occurring – cash receipts are immediately deposited to avoid lossdeposited to avoid loss

Detective Controls: Issue is discovered – Detective Controls: Issue is discovered – unauthorized disbursement is discovered unauthorized disbursement is discovered during reconciliationduring reconciliation

Corrective Controls: issue is corrected – Corrective Controls: issue is corrected – erroneous data is entered in the system and erroneous data is entered in the system and reported on an error and summary report; a reported on an error and summary report; a clerk re-enters the dataclerk re-enters the data

12

Segregation of DutiesSegregation of Duties

Transaction authorization is separate from Transaction authorization is separate from transaction processing.transaction processing.

Asset custody is separate from record-keeping Asset custody is separate from record-keeping responsibilities.responsibilities.

The tasks needed to process the transactions are The tasks needed to process the transactions are subdivided so that fraud requires collusion.subdivided so that fraud requires collusion.

13

Separation of Duties within ISSeparation of Duties within IS

14

Documenting IT ControlsDocumenting IT Controls

Internal control narrativesInternal control narratives Flowcharts – internal control flowchartFlowcharts – internal control flowchart IC questionnairesIC questionnaires

15

Risk Control StrategiesRisk Control Strategies AvoidanceAvoidance

– Policy, Training and Education, or TechnologyPolicy, Training and Education, or Technology

TransferenceTransference – – shifting the risk to other assets, shifting the risk to other assets, processes, or organizations (insurance, processes, or organizations (insurance, outsourcing, etc.)outsourcing, etc.)

MitigationMitigation – – reducing the impact through reducing the impact through planning and preparationplanning and preparation

AcceptanceAcceptance – – doing nothingdoing nothing if the cost of if the cost of protection does not justify the expense of the protection does not justify the expense of the controlcontrol

16

Monitoring IT Risks Monitoring IT Risks and Controlsand Controls

CobiT control objectives associated with CobiT control objectives associated with monitoring and evaluationmonitoring and evaluation

Need for independent assurance and audit Need for independent assurance and audit of IT controlsof IT controls

17

18

IT GovernanceIT Governance……the process for controlling an organization’s the process for controlling an organization’s IT resources, including information and IT resources, including information and communication systems, and technology. communication systems, and technology.

……using IT to promote an organization’s using IT to promote an organization’s objectives and enable business processes and objectives and enable business processes and to manage and control IT related risks.to manage and control IT related risks.

IT Auditors ensure IT governance by assessing IT Auditors ensure IT governance by assessing risks and monitoring controls over those risksrisks and monitoring controls over those risks

19

COSO and Internal Control (IC)COSO and Internal Control (IC)

COSO – 5 components of IC COSO – 5 components of IC – Control environmentControl environment– Risk assessmentRisk assessment– Control activitiesControl activities– Information and communicationInformation and communication– MonitoringMonitoring

International IC StandardsInternational IC Standards– CadburyCadbury– CoCoCoCo– Other country standardsOther country standards

20

ISACA’s CobiTISACA’s CobiT Integrates IC with information and ITIntegrates IC with information and IT Three dimensions: information criteria, IT Three dimensions: information criteria, IT

processes, and IT resourcesprocesses, and IT resources Requirements (information criteria) of quality, Requirements (information criteria) of quality,

fiduciary, and securityfiduciary, and security Organizes IT internal control into domains and Organizes IT internal control into domains and

processesprocesses– Domains: planning and organization, acquisition and Domains: planning and organization, acquisition and

implementation, delivery and support, and monitoringimplementation, delivery and support, and monitoring

– Processes detail steps in each domainProcesses detail steps in each domain

21

IT Control Domains and IT Control Domains and ProcessesProcesses

22

What do IT auditors do?What do IT auditors do?

Ensure IT governance by assessing risks Ensure IT governance by assessing risks and monitoring controls over those risksand monitoring controls over those risks

Works as either internal or external auditorWorks as either internal or external auditor

Works on many kind of audit engagementsWorks on many kind of audit engagements