Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS4482 20151  “There are risks and costs to a program of action, but they are far less than the long- range risks and costs of comfortable inaction.”

Published byAlison Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "EECS4482 20151  “There are risks and costs to a program of action, but they are far less than the long- range risks and costs of comfortable inaction.”"— Presentation transcript:

1 EECS4482 20151  “There are risks and costs to a program of action, but they are far less than the long- range risks and costs of comfortable inaction.” – John F. Kennedy

2 EECS4482 20152 Chapter 2 – I & IT Risks  What can go wrong?  Control implications of IT

3 EECS4482 20153 Effect of Computer Processing Transaction trails may not exist Uniform processing of transactions eliminates random errors but may cause systematic errors Incompatible functions may not be segregated and many internal controls combined in the computer

4 EECS4482 20154 Effect of Computer Processing Potential for errors and irregularities through inappropriate access to computer data or systems Also errors are harder to observe Potential for increased management supervision with a wide variety of analytical tools Initiation or subsequent execution of transactions by computer

5 EECS4482 20155  In June 2012, LinkedIn investigated the possible leaking of several million of its users' passwords after a member of a Russian online forum said he managed to hack the popular networking site and upload close to 6.5 million passwords to the internet.  Oct 2011 – Blackberry global outage for 4 days.

6 EECS4482 20156 Some Sources of Problems  Requirement definition omission or mistakes  System design  Hardware implementation such as wiring and chip flaws  Programming  System use and operation

7 EECS4482 20157 Some Sources of Problems  Abuse and misuse  Hardware malfunction  Natural disasters  Maintenance or upgrade faults

8 EECS4482 20158 Inherent Risk  Risk of errors or undesirable financial events occurring.  Depends on industry and nature of organization.

9 EECS4482 20159 Control Risk  Risk of controls not being able to prevent or detect errors or undesirable events.  Depends on organization’s practices and businesses.  It is the complement of control reliability

10 EECS4482 201510 IT Effect on Inherent Risk  Inherent risk is the likelihood of an undesirable event occurring  IT frequently affects inherent risk as it supports new ways of doing business or involves new procedures for transaction processing

11 EECS4482 201511 IT Effect on Inherent Risk  An example of how IT affects inherent risk is eBusiness.  eBusiness increases inherent risk because external parties are responsible for entering transaction data, customers are not trained data entry people so the probability of input error is higher.

12 EECS4482 201512 IT Effect on Inherent Risk Can IT decrease inherent risk?

13 EECS4482 201513 IT Can Decrease Inherent Risk  Automation reduces human errors in transaction processing  Automation can reduce delay in processing

14 EECS4482 201514 IT Effect on Control Risk  Control risk is the risk of a control not working properly, either because of inappropriate design or because of non- compliance.  Does IT increase control risk?

15 EECS4482 201515 IT Effect on Control Risk  IT can increase control risk because it tends to weaken segregation of duties. Fewer people are involved in transaction processing.  IT increases control risk when transaction preapproval is replaced with exception checking.

16 EECS4482 201516 IT Effect on Control Risk  IT can reduce control risk by automatically creating audit trail. Automated audit trail is more consistently prepared than manual audit trail.  IT can reduce control risk because computer edits are more reliable than human verification.

17 AIS 201517 Residual Risk  Control risk x inherent risk.  Management should demand low residual risk.

18 EECS4482 201518 IT Effects on Risks  Overall, there are more factors increasing all risk types than decreasing when more IT is used, mainly because of the less visible audit trail, less segregation of duties, open access and system complexity.

19 EECS4482 201519 Risks in Using IT  Think of risk as the absence of attributes that you want to see in a system or process to ensure Completeness Authorization Accuracy Timeliness Occurrence Memorize them as CAATO.

20 EECS4482 201520 IT Risks  IT risks can occur in the input, processing and output phases of a transaction cycle.  IT risks can also occur on stored data.  There are also risks in simply retrieving data.

21 EECS4482 201521 Input Risks  Incorrect input, e.g., entering the wrong grades for students.  Untimely input, e.g., entering a course drop form after the drop deadline.  Incomplete input, such as omitting the processing of cheques cashed in a bank.

22 EECS4482 201522 Input Risk  Unauthorized transaction - An example is one customer entering a Web transaction using another customer’s account.  Unauthorized change to master files, e.g., a warehouse staff member changes sale price.  Lost audit trail.

23 EECS4482 201523 Processing Risks  Incomplete processing, e.g., a Web order releases inventory but does not charge the credit card after doing credit check.  Inaccurate processing, e.g., skipping of interest calculation because a program does not know how to cope with hardware failure.  Undocumented processes.

24 EECS4482 201524 Processing Risks  Unauthorized processing – what does this mean?  An example is automatically transferring funds from a customer account without authorization.

25 EECS4482 201525 Processing Risk  Untimely processing, e.g., payroll run after cut-off date resulting in employees not getting paid.  Another example is recording invoice after the closing for year end, resulting in understatement of receivables or payables.

26 EECS4482 201526 Output Risks  Incomplete output, e.g., cheque run terminated abruptly, resulting in some vendors not getting paid and the company getting charged interest.  Inaccurate report.  Warehouse people receiving executive pay report.

27 EECS4482 201527 Output Risks Examples:  Late report  Late customer statements  Late T4’s

28 EECS4482 201528 Stored Data Risks  Unauthorized access to data, e.g., an accounts payable person downloads a payroll file.  Unavailability of data, e.g., power outage knocks down a server and causes data corruption.  Data loss.

29 EECS4482 201529 Risk Matrix CompletenessAuthorizationAccuracyTimelinessOccurrence Input Processing Output Storage

30 EECS4482 201530 Other Systems Risks Outside Transaction Processing  Computer fraud  Computer crime  Hackers  Viruses

31 EECS4482 201531 Other Systems Risks  Incorrect use of systems and information  Use of systems and information for improper purposes  Sabotage

32 EECS4482 201532 Other Systems Risks  Disasters like fire and flood  Power failure  System not meeting user requirements  Hardware and and software malfunctions

33 EECS4482 201533 Personal Computer Risks  Ease of access  Unstructured systems development  User may cause damage to files or operating systems  Unlicensed software  Virus infection  Loss of laptops

34 EECS4482 201534 Summary of Main Points  Audit risk = inherent risk x control risk x detection risk (risk of substantive audit  procedure failure).  The risk factors of incompleteness, inadequate authorization, inaccuracy, untimeliness, lack of substantiation and inefficiency apply to inherent risk and control

35 EECS4482 201535 Summary  Residual risk = inherent risk x control risk.  Business owner owns the risk.  Senior management should set corporate guidelines and approval levels for risk acceptance. Outsourcing increases all risks.

36 EECS4482 201536 Summary  Exposure = risk x materiality  Threat = a particular risk without the probability quantification, e.g., the threat of terrorism. A threat, once quantified, becomes a risk.  Vulnerability = exposure resulting from control risk

37 MC Question  What will happen if two bits are altered during data communication, i.e., a 0 becoming a 1 and vice versa? A. The transaction will be incorrectly recorded. B. Confidentiality will be breached. C. The network will be jammed. D. The message will be intact because of the offsetting errors. EECS4482 201537

38 MC Question  “Passwords may be easily broken.” This is a(n):  A. inherent risk.  B. weakness.  C. control risk.  D. conclusion. EECS4482 201538

39 MC Question  “With the current infrastructure, we stand to lose $2 million of business a year as a result of system breakdown.” This is a(n):  A. exposure.  B. conclusion.  C. residual risk.  D. accepted risk. EECS4482 201539

Download ppt "EECS4482 20151  “There are risks and costs to a program of action, but they are far less than the long- range risks and costs of comfortable inaction.”"

Similar presentations

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 1 The Impact of Information Technology on the Audit Process Chapter 12.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Auditing Concepts.

Auditing Concepts.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
 Transaction  It is a business event for example a sale of inventory “Hall 2009”

 Transaction  It is a business event for example a sale of inventory “Hall 2009”
Chapter 10: Auditing the Expenditure Cycle

Chapter 10: Auditing the Expenditure Cycle
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
12 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Cash and Financial Investments. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 10-2 Internal Control Over --Cash Receipts.

Cash and Financial Investments. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved Internal Control Over --Cash Receipts.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Pertemuan 17-18 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Similar presentations

Ads by Google