This Lecture Covers IT Control Frameworks

Liberating Control from Fin Reptg ITCG COBIT New frameworks such as AICPA/CICA SysTrust Principles and Criteria for Systems Reliability

Control Frameworks

CICA

ISACA Introduced CoBIT, CoBIT2, CoBIT3 (2000) Emphasized IT controls Identifies 34 high level control objectives Has 302 recommended detail control objectives Complex to use Becoming widely accepted

ISACA

Comparison of Control Models

Control environment Management philosophy and operating style - attitudes toward financial reporting. risk taking, meeting budgets etc. - these have a significant impact on the control structure Organizational structure - consider form and nature of org. units and assign authority and responsibility appropriately Audit committee - should have an active one

Control environment (cont’d) Effective methods to communicate and assign responsibility Effective management control methods Proper system development methodology - for developing and modifying systems and procedures, including programs Effective personnel methods - hiring, firing, evaluating, promoting and compensating External controls - such as regulatory agencies

Risk Assessment

Categories of exposures - (1) potential disasters such as interruption, loss of data, material inaccuracies, manipulation, and (2) competitive disadvantage - loss of position, inefficient use of IT, excessive technology expenditures, etc. Exposure weights - distinguish the severity of different types of consequences - frauds vs. errors - one may be more significant than other at any time (frauds due to mgmt. override are severe or continuing error because of control weakness may be worse at times) Risk and magnitude must be assessed before preventive/detective controls introduced Risk Assessment

Identify Sources of Exposures and Degrees of Risk

Risk Assessment Warning signs in systems that problems exist include recurring system outages constant redoing of apps repeated requests for hardware replacements recurring system conversions rapidly growing budget excessive reliance on outsiders high staff turnover no long term plans continual dissatisfaction with info persistent errors hard to communicate with IT personnel

Risk Assessment Strategies for Dealing with Risks need to reduce risk to acceptable level - never achieve 0 - comparing costs/benefits use of deterrent, directive, preventive controls assess probability of loss occurring from exposure prob. of control system failure - can’t prevent all errors determine potential size of loss consequences use weighted exposure - assess prob * loss * importance use of detective controls - maximize chance at detection

Control Activities Performance reviews - comparison of actual versus budget, analyses and follow-ups; corrective action Information processing - general and application controls Physical controls - asset safeguarding, access controls, periodic counts and reconciliations of assets/records Segregation of duties - -authorizing -recording -custody

Information & Communication Information - methods and records to: -identify and record all valid transactions -properly classify transactions -measure value -record in proper time period -present/disclose in f/s Communication - roles and responsibilities

Monitoring and Learning Monitoring - by management is critical Internal and external monitoring (customers, suppliers, etc.) CIO, CTO Steering committee to represent all key areas Internal audit, external audit External intelligence gathering firms such as Gartner, Forrester, Jupiter, etc.

Limitations of Internal Control Circumvention by collusion or management override Cost/benefit trade-offs: operating efficiency vs. complex controls Changing conditions that may cause deterioration Materiality limits Reliance on human judgement in design and implementation of controls