it risk, control & audit · skills of it and non- it ... and control the enterprise in order to...
Post on 14-Aug-2020
2 Views
Preview:
TRANSCRIPT
IT Risk, Control &
Audit
1
Computer Environment
Aud
it t
he G
ener
al C
ontr
ols
Audit the A
pplication Controls
Using Tools to Audit the Information
Computer Center Application
Application
DataFiles
DataFiles
2
Values and Challenges
• Increase Productivity• Providing of New Services• Competitive Advantage• Better Decision Making• Improve Company Image
• Complexity of Controls• Increase Reliance on System• Increase Risks• Lack of Technical Personnel
3
Impacts of IT on Internal Control & Audit
• Transaction Trails• Uniform processing of transactions• Segregation of functions• Potential for errors and frauds• Potential for increase management
supervision• Initiation or subsequent execution of
transactions by computers• Dependence of other controls
4
5
Risks
Definitions
Risk is anything that may have an impact on organisation’s ability to achieve its objectives.
6
Risk Management Process
UnderstandObjectives
IdentifyRisks
AssessRisks
ResponseTo Risks
Monitoring
All steps would be monitored to ensure that risk and response are align at all time
LIKELIHOOD of occurrence and IMPACT to objective would be assess at both INHERENT and RESIDUALlevel.
Anything that can affect ability to achieve above objectives.
People, Process and Technology
IT objectives should be define in such a way that inline with business objectives. 7 IT objectives could be used as a basis.
If RESIDUAL risk is still exceed ACCEPTABLE risk, additional risk response should be implemented.
7
IT Objectives
8
IT Identification
2. Risk IdentificationPeople, Process & Technology
Internal & External
Hazard, Uncertainty & Opportunity
Root Cause
• Poor management (planning & policy)
• System (H/W & Technology
• Skills of IT and non-IT
• Processing management (design & executions)
• Security management (policy & procedure)
• System (H/W & Technology & network)
• User awareness
• Hackers, Viruses
• System & network design
• Hardware fails
• External sabotage
• Viruses & Attack
• No BCP, backup & recovery
• System design (input, process & output)
• Hackers & Unauthorised access
• Poor authority granting procedures
• Unaware or not understand rules and regulations
• No monitoring
9
Risk Definition
Acceptable Risk (Risk Appetite)Inherent RiskResidual Risk
10
Risk Response
1. Accepting2. Reducing3. Avoiding4. Sharing
(Take)(Treat)(Terminate)(Transfer)
Using CobiT can be used as a guideline of risk treatment
11
Risk MatrixObjectives• Risk Factors• Risk Rating (Likelihood / Impact)• Current Controls• Acceptable Risk Rating• Control Improvement
Risk Factors Rating Current Controls Rating Control Improvements
L I L I
12
Risk Map
G2
G3
A1
A2
A4
L1
J1C2
E1
C4
C1 H3
G5A5
A7B1
K1B5
C3
F1
E2
I3
I2Likelihood
Impact
5
4
3
2
1
1 2 3 4 5 13
14
22/11/07Page 15
IT Governance – The definition
“A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”
The relationships are between management and its governing body.
The processes cover:-- setting objectives-- giving direction on how to attain them-- measuring performance
Resource Management
IT Governance components
IT Governance focus on
• IT Value Delivery
•Managing Risks
Page 16
Critical mission for IT & Business Alignment
• Ensure that board members and other senior managers are continuously educated in IT.
• Ensure that IT leadership and key IT managers are given resources (especially time) to help them fully understand the business, its industry and its markets.
• Ensure that IT is a regular item on the board agenda, not just annually as part of the budgeting process.
• Embed the IT planning (three years of plan and budget) process into the enterprise strategic planning process.
• Establish an appropriate IT-related committee structures
Page 17
IT Value Delivery
• What are the values that IT will deliver to an organisation
• Increasing in productivity• Providing new services• Competitive advantages• Better image
• How the values will be delivered.• In line with business requirements• Flexible for future needs• Ease of use, durable and safe
Page 18
Risk Management
• Establish IT risk assessment process• Continuously assess IT risks• Define clear roles and responsibilities• Regular report on risks• Embedded risk management in IT
processes
Page 19
22/11/07Page 20
Performance Measurement
Page 21
Overview
Page 22
Product Family
Page 23
COBIT 5 is base on 5 principlesCustomized benefits realization & optimize risks(Goals cascade)
All functions and processes (not only IT)
Align with other standards & Frameworks
(at high level)
Taken into account several interacting components (7 enablers)
Clear Distinction between Governance & management
Page 24
Principle 1 – Meeting Stakeholder Needs (Cont)
Page 25
Page 26
Principle 2 – Covering the Enterprise
Page 27
Principle 3 – A Single Integrated Framework
Page 28
Principle 4 – A Holistic Approach
Page 29
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
- Governance
- Management
Principle 5 - Separate Governance from Management
Page 30
Enabling Process
Page 31
COBIT 5 – Process Reference Model
EDM01 Ensure Governance Framework Setting and Maintenance
EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimisation
EDM04 Ensure Resource Optimisation
EDM05 Ensure Stakeholder Transparency
Evaluate, Direct and Monitor
MEA01 Monitor, Evaluate and Assess Performance and Conformance
Monitor, Evaluate and Assess
MEA02 Monitor, Evaluate and Assess the System of Internal Control
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements
APO01 Manage the IT Management Framework
APO02 Manage Strategy
APO03 Manage Enterprise Architecture
APO04 Manage Innovation
APO05 Manage Portfolio
APO06 Manage Budget and Costs
APO07 Manage Human Resources
Align, Plan and Organise
APO08 Manage Relationships
APO09 Manage Service Agreements
APO10 Manage Suppliers
APO11 Manage Quality
APO12 Manage Risk
APO13 Manage Security
BAI01 Manage Programs and Projects
BAI02 Manage Requirements Definition
BAI03 Manage Solutions Identification and Build
BAI04 Manage Availability and Capacity
BAI05 Manage Organisational Change Enablement
BAI06 Manage Changes
BAI07 Manage Change Acceptance and Transitioning
Build, Acquire and Implement
BAI08 Manage Knowledge
BAI09 Manage Assets
BAI10 Manage Configuration
DSS01 Manage Operations
DSS02 Manage Service Requests and Incidents
DSS03 Manage Problems
DSS04 Manage Continuity
DSS05 Manage Security Services
DSS06 Manage Business Process Controls
Deliver, Service and Support
Page 32
COBIT 5 – Process Reference Model
Details of Each process
Process Description
Process Purpose Statement
IT Related Goals Related Metrics
Process Goals Related Metrics
Key Management Practice RACI Chart
Inputs OutputsManagement Practice
Activities
Related StandardsPage 33
IT Controls
34
Component of IT Controls
• IT Control Environment (Entity Level Control)
• IT General Control
• IT Application Control
35
Component of IT Controls
Control EnvironmentITGC App Control
DataFiles
DataFiles
36
Controls Environment
• IT Policies & Procedures
• IT Organisation Structures (Roles & Responsibilities)
• Human Resource Management
• Tone at the Top
• Culture
37
Controls Environment
IT Policies & Procedures• IT usage policy• IT security policy• System development policy• System development and change procedures• Security Administration procedure• IT Operation procedure & manual
38
IT General Controls (ITGC)
39
IT General Control (ITGC)
• is a foundation to the overall control of the IT environment
• is mainly responsible by IT management, and mostly within the IT department
• COBIT is a good collection of all ITGC.
40
IT General Controls (ITGC)
• System development & changes
• Operation
• Disaster recovery plan
• Security Management
41
System Development &Changes
42
Who should be involve ?
• Senior management
• User management & staff
• IT management & staff
• Auditors (?)
• Project Manager
• Project Owner
• Project Sponsor
43
Type of System Development
• In-House Development• Purchase Commercial Software• Considerations
• Implementation time• Cost• Reliability• Independence• Customisation• Maintenance
Future Concern
44
Systems Development Today
45
Risks and ControlsWHAT MANAGEMENT NEEDS TO KNOW
Are we buildingthe right product?
Are we building the product right?
46
Systems Development
Initiation
Phase Control Objective
• Project objectives have been clearly defined, documented and communicated.
• Organizational structure, and reporting mechanism are properly defined.
47
Analysis
Phase Control Objective
Business and control requirements are clearly defined and documented.Requirements are consistent with objectives.
Auditing Systems Development
48
Design
Phase
•Design incorporates business requirements
•Design incorporates control requirements
•Design incorporates audit requirements
•Auditor requirements - embedded audit routines- exception reports
Auditing Systems DevelopmentControl Objective
49
Construction
Phase
New system is adequately tested
- Comprehensive test plan- Business user involvement- IS involvement- Audit involvement- Documenting test results
All requirements are tested
Auditing Systems DevelopmentControl Objective
50
Implementation
Phase
•Critical operational controls have been implemented
•Business user approval
•System is migrated via a protected environment
•System performs as designed
•Original business requirements are satisfied.
Auditing Systems DevelopmentControl Objective
51
System Implementation
• Direct cutover
• Parallel Implementation
• Pilot Implementation
• Phase (module) implementation
• System Manual
• Operation Manual
• User Manual
• User Procedural
System Documentation
52
System Changes
53
Controls must cover• Request/Approve• Feasibility Studies• Design/Construction• Testing• Programs Transfers• Parallel Testing• System Documentation
Background
General Controls - System Change
Disaster Recovery Plan
The Hamburger Model
T
H R E A T S
Your Business
Safety Net
Impact
Shield
Emergency Response
Fire, Flood, Storm, BombPower and EquipmentFailures, Computer system breakdown
Access Controls,Hazard detection &prevention, Redundancy,Backup
Evacuate, Medical,Public relation,Emergency funds
Massive disruption tobusiness operations,Adverse media coverage,Poor image,Customer confidence,Financial loss
BUSINESSCONTINUITYPLAN
DISASTERRECOVERYPLAN
What is the right approach and/or solutions?
Risk Analysis
Business Continuity Plan
• AN INTEGRATED SET OF PROCEDURES AND RESOURCE INFORMATION THAT IS USED TO RECOVER FROM AN EVENT THAT HAS CAUSED A DISRUPTION TO BUSINESS OPERATIONS.
• IT ANSWERS THE NEWSPAPER QUESTIONS:• WHO, WHAT, WHEN, WHERE, WHY, HOW
IT Operation
IT Operation comprises•Turn on/off systems •Monitor usage•Problems/incidents handling•Batch processing•Backup/Restore•Report printing & distribution
IT Operation controls•Steps are clearly defined.•Adequate training •Supervision
System Security
Security
• Security can be broadly defined as the control structure established to manage:
• Confidentiality• Integrity• Availability
• of IS data and resources.
Background
Security
Effective security includes:
• Management and administration
• Logical security
• Physical security
Background
Security
• Policy is also legal and human resources document and should be handled accordingly.
• All users should sign indicating understanding and agreement to comply with security policy.
• All users should periodically verify (typically annually) continued understanding and compliance with security policy.
Controls - Security Policy
Security
Minimum length, e.g. 8 characters
Alphanumeric plus special characters
Expire every certain days, e.g. 120 days
Non-repeatable, e.g. last 10 usages
Not easily guess password, e.g. non-dictionary words
Non-sharing
Suspense after certain numbers of invalid sign-on attempts
Non-display during log-in
Password Controls -
How well do crackers crack password?
Security
Typically involves:• Physical access to hardware, software, and data• Fire prevention, detection, and control• Environmental hazard prevention, detection, and
control
Safety of employees and personnel on-site must be first concern.
Controls - Physical Security
Security
Software-based controls that allow:
• Identification of individual users of IS data and resources
• Restrict of access to specific data or resources
• Generation of audit trails of system and user activity
Controls - Logical Security
Access Control
Sales System
Accounting System
Acc
ess
Con
trol
(O/S
)
AccessControl(A/P)
AccessControl(A/P)
Acc
ess
Con
trol
(O/S
)
Database/
Files/Tables
Introduction to OS (cont)
Access Control Program• Authentication• Authorization• Audit Logging
Introduction to OS (cont)
Authentication• Identify and confirmation of individual using pre-defined
Access data stored in the systems• Types of Authentication
- Knowledge- Possession- Characteristic
Introduction to OS (cont)
Authorisation• Check individual authorisation before allow access to
specific computer resources (e.g. data file, program, command, devices, communication capabilities, etc.)
• Individual rights & Resources protection• Best practice - allow access on a “need-to-use” basis only
Introduction to OS (cont)
Audit Logging• Recording critical activities, such as privilege ID’s, Critical
process, data, utilities usages, security events.• Reviews and Log Maintenance
DATABASE
DatePage 76
<footer>
Flat File vs Database
Database
DBMS
DBMS
Acct
Mkt
Query 1 Query 2
Finance
Prod
customer
invoices
Receipts
Products
DatePage 77
<footer>
Database Model
Use
rs
ApplicationsUser
Program
UserProgram
UserProgram
UserProgram
Trans
Trans
Trans
Trans
DBMSDataDefinitionLanguage
DataManipulationLanguage
QueryLanguage
Host OperatingSystem
PhysicalDatabase
SystemDevelopment
DatabaseAdministrator
Computer Network
Network Components
• Computer Servers/Desktops (with network communication hardware)
• Cable/wire/wireless• Network Equipment
• Router• Firewall• Bridge• Repeater
• Protocol
Network Terminology
• Public Network• Private Network• Virtual Private Network
Network Controls
• Network Design (Zoning & Segmentation)• Network Equipment placement and setting• Network security software• Others
DatePage 82
<footer>
Network Zoning
DatePage 83
<footer>
Network Equipment - Firewall
Controls• OS Controls• Firewall Admin restrictions• RuleBase Setting
Application Controls
Application Controls
• Specific to applications, and independence from other applications
• Address completeness, accuracy, validity and authorization of data being processed by the system
• Controls can be “automated” or “manual” and can be “preventive”, “detective” or “corrective”
• Automated Processing
• Level of control is depending on level of business risk
Background
Application Controls
• Application functions may not be adequately segregated
• Users may have excess system authorities
• Transactions may be entered incorrectly, incompletely, more than once, or not timely.
• Transactions may be processed incorrectly, incompletely, more than once, or not timely.
• Outputs may not be properly and safely used.
Risks
Application Controls
1. Access to application functions (Segregation of duties within application)
2. Input Controls (incl. Reject/Suspend inputs, Interfaces)1. Planning & Design2. Edit/Validate by the system, 3. Procedures to review accuracy and completeness of
input3. Processing Controls4. Output Controls (Usage & confidentiality)
Background
88
Computer Environment
Aud
it t
he G
ener
al C
ontr
ols
Audit the A
pplication Controls
Using Tools to Audit the Information
Computer Center Application
Application
DataFiles
DataFiles
89
IT Auditing Areas
90
Advice for Improvement /
Substantive Test
ControlledRisks
UncontrolledRisks
Risk
InternalControls
Controls
TestEfficiencyof controls
Audit
RISK BASE AUDIT APPROACH
91
92
Follow-Up Reporting Execution AssignmentPlanning
Auditing ProcessStrategicPlanning
93
Business Objectives
Follow-Up Reporting Execution AssignmentPlanning
StrategicPlanning
Define Auditable Areas
Risk Assessment
Define Weight of Objectives
Define Risk Factors
Assessment
PrioritiseDefine Audit Approach
Identify Resources
Audit Schedule
Audit Strategic Plan
Auditing Process
94
Obtain Understandings
Follow-Up Reporting Execution AssignmentPlanning
StrategicPlanning
System Documentation
Walk-Through Testing
Risk/Control AnalysisIdentify Risks
Risks vs Control ProceduresIdentify Key Controls
Prepare Audit Programs Procedures vs Audit Instructions
Allocate Staff
Auditing Process
95
Computer Assisted Audit Technique(CAAT)
Computer Environment
Aud
it t
he G
ener
al C
ontr
ols
Audit the A
pplication Controls
Using Tools to Audit the Information
Computer Center Application
Application
DataFiles
DataFiles
97
• Who should be responsible for CAAT ?
• Ideally, general auditor should be responsible for all steps.
• In reality, computer auditor play a supporting roles.
Nature of CAAT
98
• Mix of Computer and Manual Tests• Computer Knowledge, Expertise and Experience of the
Auditor• Reliability of General Computer Controls• Availability of CAATs and Suitable Facilities• Impracticability of Manual Audit Procedures• Effectiveness and Efficiency of the Testing• Development Time
CAAT Considerations
99
• Detailed testing of transactions, data, and processes where efficiency and effectiveness can be gained, or in case where manual testing is not possible or feasible, including
• Testing of Accuracy & Completeness of Processes
• Analysis and test of data• Fraud analysis & Evidence collection
CAAT Objectives
100
Parallel Simulation
1
Removable storage
Download2
DevelopCAAT Program
3
CO
MPA
RE
5
ApplicationProcess
Report
Run CAATProgram
4
Report
101
COPY
CopiedProgram
1
CO
MPA
RE
4
ApplicationProgram Report
Removable storage
CAAT Data
PrepareCAAT Data
2
Report
ManualCalculation
3Report
Test Data Approach / Test Transactions
102
CAAT Steps Determine if CAAT is
Appropriate ?
1DefineAudit
Objectives
2DetermineRequired
Data
3ArrangeFor data
Download
4Perform
Analysis &Testing
5Summarise
&Document
6
103
CAAT Steps Determine if CAAT is
Appropriate ?
1DefineAudit
Objectives
2DetermineRequired
Data
3ArrangeFor data
Download
4Perform
Analysis &Testing
5Summarise
&Document
6
Audit objectives should link to business risks or audit risksAuditor require an understanding of the systemConsult with system development group before finalize
MathematicsAccuracy
AnalyticalReview
Validity (exception testing & duplicates)
Completeness (gaps)
Cut-off
104
CAAT Steps Determine if CAAT is
Appropriate ?
1DefineAudit
Objectives
2DetermineRequired Data
3ArrangeFor data
Download
4Perform
Analysis &Testing
5Summarise
&Document
6
Understand business process and conditionsField and record conditionsUnderstand calculation formula and methodsConceptual designing of the testingBuild & TestActual analysis & testing
105
Audit Software
• Generalised Audit Software
• Specialised Audit Software
• Report Writer Utilities / Query Language
• Micro Computer Applications
106
107
PwC
Control quadrant: Cost vs. flexibility
High flexibility
Low flexibility
Highcost
Lowcost
Manual detective controls
Real-time detective controls
Automatedpreventive
controls
Manualpreventive
controls
*
108
Continuous Assurance
Combination of continuous auditing and audit oversight of continuous
monitoring
Continuous Auditing
Includes monitoring, assessing and mitigating risk associated with operations, finance, fraud, automatically and on a more
frequent basis.
Performed by Internal Audit or Controls Dept.
Continuous Monitoring
Includes the processes that management puts in place to ensure that the policies, procedures, and business processes are operating
effectively.
Performed by operational/financial
management
Continuous Controls MonitoringContinuous auditing overview
ANNUALRisk
AssessmentAudit Plan
FieldworkTechnology is being
applied here (in audit management and data analysis), to speed up audit
process…
Reporting Wrap-Up
Internal Audit Process Framework – as isTechnology as an enabler 110
How CM/CA should be developed.
Transactions
GL
Accounts
ProcessAnalytics
Analyze4
Manage &Report5
Approvals
AnalyticsWorkbench
Extractor Data
Acquire &Prepare3
Billing
ERP
HR
Custom
Source Systems
Planning1 Risk Assessment2
Choose the right area/business
process
Identify key risks Indicators Data require for
analysis
112
top related