Chapter Three IT Risks and Controls

Lecture Outline Identifying IT Risks Assessing IT Risks Identifying IT Controls Documenting IT Controls Monitoring IT Risks and Controls

Types of IT Risks What is risk? Business risk Chances of negative outcomes Business risk Likelihood that an organization will not achieve its business goals and objectives Internal & external risk

Audit risk Likelihood that an organization’s external auditor makes a mistake when issuing an opinion attesting to the fairness of its financial statements or an IT auditor fails to uncover a material error of fraud.

inherent risk control risk detection risk Likelihood of material errors or fraud inherent in the business environment. control risk Likelihood that the internal control system will not prevent or detect material errors or fraud on a timely basis. detection risk Likelihood that audit procedures will not detect material errors or fraud on a timely basis.

Security risk Continuity risk Risks associated with data access and integrity. Physical or logical unauthorized access Negative outcomes Continuity risk Risks associated with an information system’s availability and backup and recovery.

Assessing IT Risk Threats and vulnerabilities Identify threats or exposures Access vulnerabilities to threats or exposures Determine acceptable risk level The expected value of risk Risk indicators and risk measurement Identify IT processes and then develop a set of risk indicators Risk indicators would point to a need for control

Identifying IT Control Once risks have been identified and accessed, specific controls need to be designed to control those risks. Most widely used internal control model COSO, Cadbury and CoCo

COSO (Committee of Sponsoring Organizations of the Treadway Commission) COSO framework Consists of a definition of internal control and identification of 5 components Internal control is broadly defined as a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Coso(Internal Control-Integrated Framework)

COSO cont.. 5 components of Internal Control (IC) Control environment Attitude of management toward internal control Risk assessment Enterprise risk framework: guidance in developing plans to identify, measure, evaluate and respond to risks. Control activities Internal control procedures and policies i.e., authorizations, approvals, passwords, and segregation of duties

COSO cont.. Information and communication Monitoring Refer to the need for organizations to make sure they obtain and communicate the information needed to carry out management strategies and objectives Monitoring Continuous monitoring of internal control system by regular audits and evaluations

International IC Standards Cadbury Stressed that internal control encompasses both financial and operational controls and the auditors should report both. CoCo (Canadian Criteria of Control Committee) Similar to COSO and Cadbury Group IC within 4 categories Purpose criteria that relate to an organization’s missions and objectives

International IC Standards cont.. Commitment criteria relate to ethics, policies, and corporate identity Capability criteria that relate to the competence of an organization Monitoring and learning criteria that concern an organization’s evolution Other country standards South Africa’s King Report France’s Vienot Report

Quality Control Standards In addition to IC, improve public conference in products and processes by adopting quality control standards ISO 9000 series – certifies that organizations comply with documented quality standards Six Sigma – an approach to process and quality improvement

Statements on Auditing Standards Issued by AICPA’s Accounting Standards Board SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit New standards related to risk assessment

ISACA’s CobiT Integrates IC with information and IT Use by managers & business owners along with auditors and information users Three dimensions: information criteria, IT processes, and IT resources Organizations must ensure their information assets satisfy the requirements of quality, fiduciary, and security

ISACA’s CobiT cont… Domains: planning and organization, acquisition and implementation, delivery and support, and monitoring Each domain consists of processes CobiT identifies a control objectives for each processes New management guidelines (new addition)

Systems Reliability Assurance American Institute of Certified Public Accountants (AICPA) + Canadian Institute of Chartered Accountants  SysTrust SysTrust Increase management, customer, supplier, and business partner confidence in the IT

Documenting It Controls Internal control narratives Text describing controls over a particular risk Flowcharts – internal control flowchart Picture are easier to understand, follow and update IC questionnaires Ask questions about IC over various applications, processes, or risks Users or administrators would complete the questionnaires with yes or no answer

Monitoring IT Risks and Controls CobiT identifies several control objectives associated with monitoring Monitoring the processes Accessing IC adequacy Obtaining independent assurance Providing independent audit Need for independent assurance and audit of IT controls