Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/11/2016 Filename Session 135 Control Practices and Control Theories Jeff Roth, CISA.

Published byLuke Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "6/11/2016 Filename Session 135 Control Practices and Control Theories Jeff Roth, CISA."— Presentation transcript:

1 6/11/2016 Filename Session 135 Control Practices and Control Theories Jeff Roth, CISA

2 Page 2 6/11/2016 Filename Agenda Overview of control theory and controls found in practice Control objectives, risk mitigation and the practical design of an internal control framework Application of control theory to IT audit engagements

3 Page 3 6/11/2016 Filename Introduction and Overview Before we discuss internal controls, we first need to understand why we need to consider their use. In all aspects of our lives and business we have objectives. Examples are: –making it to work on-time –producing goods or services that meet our customer requirements –meeting earning expectations of shareholders

4 Page 4 6/11/2016 Filename Introduction and Overview As we attempt to reach these goals there are risks to us achieving these stated objectives and avoid undesirable outcomes. Risk

5 Page 5 6/11/2016 Filename Introduction and Overview Type of Internal Controls (the optimum definition) –Preventive controls are established to reasonably assure the prevention or deterrence of undesired outcomes and the attainment of established goals. –Detective controls are established to reasonably assure the prompt detection of the occurrence of the undesirable event or failure to to meet an objective at a point that it can be corrected.

6 Page 6 6/11/2016 Filename Quiz What type of controls are these? –Enable BIOS passwords –Enable boot loader passwords –Security logs for unsuccessful login attempts –Data Field mask for SSN –Event triggers –IT Security Training –Disaster Recovery Testing Preventive Preventive and Detective Detective

7 Page 7 6/11/2016 Filename COSO Per the COSO Enterprise Risk Framework, an Internal control is defined designed to provide reasonable assurance for the achievement of following objectives in the following categories: –Effectiveness and efficiency of operations. –Reliability of financial reporting. –Compliance with applicable laws and regulations.

8 Page 8 6/11/2016 Filename COSO Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective- setting processes.

9 Page 9 6/11/2016 Filename COSO Risk Assessment - “...the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. ” Risk Response – “Management selects risk responses – avoiding, accepting, reducing,or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.”

10 Page 10 6/11/2016 Filename COSO Control Environment - awareness of internal controls and is the cornerstone of any system of controls Integrity –Ethics –Competence of employees –Management's philosophy and operating style –Assignment of authority, and responsibility, and organisation –Attention and direction provided by the board of directors.

11 Page 11 6/11/2016 Filename COSO Control Activities - Policies and procedures, that occur throughout the organisation, at all levels and in all functions. –Segregation of duties. –Approvals and Authorisations –Verifications and reconciliations –Reviews of operating performance –Security of assets

12 Page 12 6/11/2016 Filename COSO Information and Communication –Pertinent information identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. –Effective communication also must occur in a broader sense, flowing down, across and up the organisation.

13 Page 13 6/11/2016 Filename COSO Monitoring-a process that assesses the quality of the internal controls performance over time through: –Ongoing monitoring activities, –Separate evaluations –Combination of the two.

14 Page 14 6/11/2016 Filename CobIT CobIT combines the principles in COSO and other existing reference models: –Quality –Cost –Delivery

15 Page 15 6/11/2016 Filename CobIT –Effectiveness and Efficiency of operations –Reliability of Information –Compliance with laws and regulations –Confidentiality –Integrity –Availability

16 Page 16 6/11/2016 Filename CobIT Four Domains: –Planning and Organisation –Acquisition and Implementation –Delivery and Support –Monitoring 34 IT processes of the Framework Control Objectives are associated with each of the 34 IT processes of the Framework, there are from three to 30 detailed control objectives, for a total of 318.

17 Page 17 6/11/2016 Filename CobIT

18 Page 18 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Internal controls fall within the following categories –Confidentiality –Integrity –Availability – –Effectiveness – –Efficiency – –Compliance – –Reliability COSO and CobIT

19 Page 19 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework First we must always determine the business objectives that have originated the need for an IT resource under review: –Manufacture or produce goods or services, i.e. telecom for a call center or CAD/CAM programs for an assembly line. –Accurate recording and reporting of financial data

20 Page 20 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Next complete a walkthrough of the business process and identify the risks and document the respective internal controls. –CAD/CAM drawing releases process allows read/write capability to engineers and machinists authenticated to the network. Risk? –The company procurement buyer has Accounts Payable access that allows for acceptance of invoices and authorisation of payment. Risk?

21 Page 21 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Testing of internal controls Case One - The SDLC review –You are assigned to audit the development and implementation of a major Financial system. Where do you start? Using the control objective approach we can focus on Planning and Organisation and Acquisition and Implementation domains.

22 Page 22 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Case One - The SDLC review Examples of control objectives: –PO4 Define the Information Technology Organisation and Relationships 4.14 Contracted Staff Policies and Procedures Management should define and implement relevant policies and procedures for controlling the activities of consultants and other contract personnel by the IT function to assure the protection of the organisation's information assets.

23 Page 23 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Case One - The SDLC review Examples of control objectives: AI1 Identify Automated Solutions –1.9 Cost-Effective Security Controls “Management should ensure that the costs and benefits of security are carefully examined in monetary and non-monetary terms to guarantee that the costs of controls do not exceed benefits. The decision requires formal management sign-off. All security requirements should be identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for an information system.…”

24 Page 24 6/11/2016 Filename Practical Design and Testing of an Internal Control Framework Case Two - Disaster Recovery and Business Continuity Review Examples of control objectives: DS04 Ensure Continuous Service –4.3 IT Continuity Plan Contents: IT management should ensure that a written plan is developed containing the following: Guidelines on how to use the continuity plan Emergency procedures to ensure the safety of all affected staff members Response procedures meant to bring the business back to the state it was in before the incident or disaster

25 Page 25 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements Thinking outside of the box. You are assigned to audit an MVS mainframe environment and note the following: –Supervisor Calls (SVC) 50 can not be explained by the system programmer. IBM Proprietary and installed under service contract

26 Page 26 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements You are assigned to audit an MVS mainframe environment and note the following: –Duplicate Authorized Program Facility (APF) You found these conditions because you reviewed existing system requirements for the LPAR under review (CobIT DS09 Manage Configuration) Could indicate malicious code

27 Page 27 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements You are reviewing the provisioning process for the network accounts and notice: –The meta-directory application is quite old and support only LDAP release 2. Does not support encrypted transmission of passwords and is probably not supported by the vendor

28 Page 28 6/11/2016 Filename Control Frameworks Integrated into IT audit Engagements –User accounts are processed manually (new, transfers, and terminations). You found these conditions because you reviewed existing system planning and security processes (CobIT PO3 IT Directions and DS05 Security) High degree of risk for outdated or incorrect access rights.

29 Page 29 6/11/2016 Filename Summary Well established and internationally accepted internal control frameworks are available for use by the IT assurance professional. These frameworks embody the essence of what internal controls are and why management and stakeholders within an organisation need to ensure their implementation. Provide a disciplined approach to identifying objectives, risks, and, internal controls or lack of internal controls.

30 Page 30 6/11/2016 Filename Summary Provide a disciplined approach to identifying objectives, risks, and internal controls (or lack of internal controls).

31 Page 31 6/11/2016 Filename Questions Jeff Roth, CISA j4c4@hotmail.com

Download ppt "6/11/2016 Filename Session 135 Control Practices and Control Theories Jeff Roth, CISA."

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
How can projects be controlled?

How can projects be controlled?
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Similar presentations

Ads by Google