1. This Lecture Covers IT Control Frameworks

2. Liberating Control from Fin Reptg ITCG COBIT New frameworks such as AICPA/CICA SysTrust Principles and Criteria for Systems Reliability

3. Control Frameworks

4. CICA

5. ISACA Introduced CoBIT, CoBIT2, CoBIT3 (2000) Emphasized IT controls Identifies 34 high level control objectives Has 302 recommended detail control objectives Complex to use Becoming widely accepted

6. ISACA

8. Comparison of Control Models

9. Control environment Management philosophy and operating style - attitudes toward financial reporting. risk taking, meeting budgets etc. - these have a significant impact on the control structure Organizational structure - consider form and nature of org. units and assign authority and responsibility appropriately Audit committee - should have an active one

10. Control environment (cont’d) Effective methods to communicate and assign responsibility Effective management control methods Proper system development methodology - for developing and modifying systems and procedures, including programs Effective personnel methods - hiring, firing, evaluating, promoting and compensating External controls - such as regulatory agencies

11. Risk Assessment

12. Categories of exposures - (1) potential disasters such as interruption, loss of data, material inaccuracies, manipulation, and (2) competitive disadvantage - loss of position, inefficient use of IT, excessive technology expenditures, etc. Exposure weights - distinguish the severity of different types of consequences - frauds vs. errors - one may be more significant than other at any time (frauds due to mgmt. override are severe or continuing error because of control weakness may be worse at times) Risk and magnitude must be assessed before preventive/detective controls introduced Risk Assessment

13. Identify Sources of Exposures and Degrees of Risk

14. Risk Assessment Warning signs in systems that problems exist include recurring system outages constant redoing of apps repeated requests for hardware replacements recurring system conversions rapidly growing budget excessive reliance on outsiders high staff turnover no long term plans continual dissatisfaction with info persistent errors hard to communicate with IT personnel

15. Risk Assessment Strategies for Dealing with Risks need to reduce risk to acceptable level - never achieve 0 - comparing costs/benefits use of deterrent, directive, preventive controls assess probability of loss occurring from exposure prob. of control system failure - can’t prevent all errors determine potential size of loss consequences use weighted exposure - assess prob * loss * importance use of detective controls - maximize chance at detection

16. Control Activities Performance reviews - comparison of actual versus budget, analyses and follow-ups; corrective action Information processing - general and application controls Physical controls - asset safeguarding, access controls, periodic counts and reconciliations of assets/records Segregation of duties - -authorizing -recording -custody

17. Information & Communication Information - methods and records to: -identify and record all valid transactions -properly classify transactions -measure value -record in proper time period -present/disclose in f/s Communication - roles and responsibilities

18. Monitoring and Learning Monitoring - by management is critical Internal and external monitoring (customers, suppliers, etc.) CIO, CTO Steering committee to represent all key areas Internal audit, external audit External intelligence gathering firms such as Gartner, Forrester, Jupiter, etc.

19. Limitations of Internal Control Circumvention by collusion or management override Cost/benefit trade-offs: operating efficiency vs. complex controls Changing conditions that may cause deterioration Materiality limits Reliance on human judgement in design and implementation of controls