Scribd
Upload
198 views

ASI - IT Risk and Controls

This document discusses information system audit and IT risk and control. It outlines the risk management process, including identifying risks, assessing risks, identifying controls, documenting controls, and continuously monitoring risks and controls. The main types of IT risks discussed are business, audit, security, and continuity risks. Approaches to assessing IT risks include identifying threats and vulnerabilities, and developing risk indicators. Frameworks for controls include COSO, COBIT and SAS. The importance of documentation, monitoring and managing changing IT risks over time is also emphasized.

Uploaded by

Arthia Ruth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
198 views

ASI - IT Risk and Controls

This document discusses information system audit and IT risk and control. It outlines the risk management process, including identifying risks, assessing risks, identifying controls, documenting controls, and continuously monitoring risks and controls. The main types of IT risks discussed are business, audit, security, and continuity risks. Approaches to assessing IT risks include identifying threats and vulnerabilities, and developing risk indicators. Frameworks for controls include COSO, COBIT and SAS. The importance of documentation, monitoring and managing changing IT risks over time is also emphasized.

Uploaded by

Arthia Ruth
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Information System Audit

IT Risk and Control

September 2018
Risk management
• Risk is the chance of negative outcomes.
• “No risk, no reward.”
• Risk needs to be balanced.

Thus, business needs to manage risks continuously.

Identify Assess Identify Document


IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

Figure 1 – The Risk Management Process


Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

1. IDENTIFYING IT RISKS
Risks

Business risk
• Not achieving business goals and objectives

Audit risk
• External auditor making a mistake when issuing an opinion

Security risk
• Failing to maintain data access and integrity

Continuity risk
• Failing to maintain information system availability and backup and recovery
Business risk
“Business risk is the likelihood that an organization will not
achieve its business goals and objectives”
• Auditors should be familiar with enterprise’s strategic plan to identify
business risks
• Can result from external and internal factors
External Internal
• New competitor in market • Labor disputes
• Poor economy • Management fraud

• IT holds a significant part in organization, increasing business risk


– Large investment in IT
– IT timing risk is prevalent, especially in new software/hardware procurement
Audit risk
“Audit risk is the likelihood that an organization’s external auditor
makes a mistake when issuing an opinion attesting to the fairness
of its financial statements, or that an IT auditor fails to uncover a
material error or fraud”

Inherent Risk Control Risk Detection Risk


(IR) (CR) (DR)
Likelihood of Likelihood that Likelihood that
Audit Risk material errors or the internal audit procedures
(AR) fraud inherent in control system will not detect
the business will not prevent or material errors or
environment. detect material fraud on a timely
errors or fraud on basis
a timely basis.
Security risk and Continuity risk

Security risk Continuity risk


“Risks associated with data “Risks associated with an
access and integrity” information system’s availability
and backup and recovery”
 Can be physical or logical
 Possible risk:  Possible risk:
 Lack of data integrity  Hacker attack
 Poor decision making  Loss of consumer trust
 Breach of privacy and  Loss of profit
confidentiality  Loss of financial and
 Increase business risk critical data
Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

2. ASSESSING IT RISKS
Threats and Vulnerabilities
Approach to IT Risk Assessment
Identify Assess vulnerabilities Determine acceptable
threats/exposures to threats/exposures risk levels and assess
the probability of
Examples: Examples:
• Data confidentiality • Data confidentiality
vulnerabilities
• Data availability • Remote access by
Examples:
• Data integrity unauthorized peers
• Chance of remote access
• Data timeliness • On-site access by
by unauthorized users is
• Data accuracy unauthorized
.05 percent
• IT infrastructure personnel

Calculating value of risk

Expected Estimated loss from


% likelihood of loss
value of risk specified risk
Risk Indicators and Risk
Measurements
Another approach to IT Risk Assessment
Identify IT processes Develop a set of risk Risk indicator points
indicators for the to a need for controls
identified IT processes
Examples: Examples: Examples:
Acquiring of software Failure to map software (at this stage the
applications acquisitions to strategic plan organization has noted the
presence of risk, and can
choose to control them or
not)

Recommendations:
• Usage of weighted approach
Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

3. IDENTIFYING IT CONTROLS
Control Standards
• Internal control models around the world
– US – Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
– UK – Cadbury Commission
– Canada – Canadian Criteria of Control Committee (CoCo)

• Quality
– ISO 9000 – Provides broad quality standards for products,
processes and management
– Six Sigma – Represents a standardized approach to process
improvement
Statements on Auditing
Standards
• Issued by Auditing Standards Board (ASB) of the
American Institute of Certified Public Accountants
(AICPA)
• Provides guidelines for external auditors in conducting
the financial statement audit.
• Continuously revised and improved to conform to
standards and provide greater understanding of
enterprise and its environment, particularly in internal
control.
CobiT
• Control of Business Information Technology (CobiT) integrates
internal control with information and information technology.
• CobiT categorizes IT processes in four domains:
– PO - Planning and Organization
– AI - Acquisition and Implementation
– DS - Delivery and Support
– M - Monitoring
• For example: One process in PO is to identify a strategic plan.
CobiT describes the control objective over that process in terms
of how it satisfies business requirements, what characteristics of
the process enable it, and factors it considers.
• Embraced by IT auditors and managers as a framework for
designing and implementing control over their information
technology.
Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

4. DOCUMENTING IT CONTROLS
Documentation tools

Narratives Flowcharts Questionnaires


Should describe the Should designed with a Should be utilized to
origin and disposition standard in mind, cover all aspects in risk
of documents, list providing a similar level evaluation, can be
processing steps, of detail, and use compared among
describe internal designs that can be several individuals and
controls such as easily digested. can also help in
approvals. constructing narrative
or flowchart.
Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

5. MONITORING IT RISKS AND CONTROLS


Continuous monitoring
• Risk management requires constant attention, thus results in its
continuous nature.
• CobiT control objectives on monitoring:
– Monitoring the process
– Assessing internal control adequacy
– Obtaining independent assurance
– Providing for an independent audit
• Performance measurement systems and benchmarking should be
utilized
• Pervasive nature of IT mandates that auditors evaluate an IT
relative to business, audit, security and continuity risks.
Summary
• Types of IT risks
• Approaches in assessing risk
• The need for organizations to understand IT risks
• IT auditors may document existing internal controls,
utilize tools
• IT Risk Management Process is never ending. Changes
in technologies and/or business processes may create
new threats. As a result, it is important to constantly
monitor IT risks and controls

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy