This Lecture Covers
• IT Control Frameworks
Liberating Control from Fin Reptg
• ITCG
• COBIT
• New frameworks such as AICPA/CICA SysTrust Principles and Criteria for Systems Reliability
Control Frameworks
CICA
ControlIssues
MinimumControl
Standards
ControlObjectives
C ontrol Tec hniques A 1 -1 , A 1 -2 , A 1 -3 , A 2 -1 ,B 1 -1 , etc . etc . etc ., etc . etc ., etc . etc .
InformationTechnology
Planning
Responsibility for Risk Management
and Control
A1 A2
A B
B 1 etc
C D
etc etc etcetcetc
etc . etc .
etc
etc
etc
ISACA
• Introduced CoBIT, CoBIT2, CoBIT3 (2000)
• Emphasized IT controls
• Identifies 34 high level control objectives
• Has 302 recommended detail control objectives
• Complex to use
• Becoming widely accepted
ISACA
Information C riteria
IT P
rocess
es
Pe
op
le
Ap
pli
ca
tio
n S
ys
tem
s
Da
ta
Te
ch
no
log
y
Fa
cil
itie
s Domains
Processes
A ctivities/T asks
ISACA
Comparison of Control ModelsCOSO COCO SYSTRUST v. 3
Environment
Risk Assessment
Purpose Commitment
Policies
Control Activities Communication
Information & Communication
Capability
Procedures
Monitoring & Learning Monitoring & Learning Monitoring
Control environment
• Management philosophy and operating style - attitudes toward financial reporting. risk taking, meeting budgets etc. - these have a significant impact on the control structure
• Organizational structure - consider form and nature of org. units and assign authority and responsibility appropriately
• Audit committee - should have an active one
Control environment (cont’d)
• Effective methods to communicate and assign responsibility
• Effective management control methods
• Proper system development methodology - for developing and modifying systems and procedures, including programs
• Effective personnel methods - hiring, firing,
evaluating, promoting and compensating
• External controls - such as
regulatory agencies
Risk Assessment
Identify control objectives/ requirements of users, regulators and other stakeholders (e.g., availability, security, integrity & maintainability
Assess risks by anticipating/ forecasting threats that can lead to system errors, faults, failures
Select controls/ countermeasures to deter, prevent, detect and correct unacceptable errors, faults and failures and tolerate acceptable errors, faults and failures
• Categories of exposures - (1) potential disasters such as interruption, loss of data, material inaccuracies, manipulation, and (2) competitive disadvantage - loss of position, inefficient use of IT, excessive technology expenditures, etc.
• Exposure weights - distinguish the severity of different types of consequences - frauds vs. errors - one may be more significant than other at any time (frauds due to mgmt. override are severe or continuing error because of control weakness may be worse at times)
• Risk and magnitude must be assessed before preventive/detective controls introduced
Risk Assessment
Infra
structure Software People Procedures Data
Policy
Communication
Procedures Availability
Monitoring
Policy
Communication
Procedures Security
Monitoring
Policy
Communication
Procedures Integrity
Monitoring
Policy
Communication
Procedures
Maintain ability
Monitoring
Risk AssessmentIdentify Sources of Exposures and Degrees of Risk
Risk Assessment Warning signs in systems that problems exist include
• recurring system outages
• constant redoing of apps
• repeated requests for hardware replacements
• recurring system conversions
• rapidly growing budget
• excessive reliance on outsiders
• high staff turnover
• no long term plans
• continual dissatisfaction with info
• persistent errors
• hard to communicate with IT personnel
Risk Assessment
Strategies for Dealing with Risks
• need to reduce risk to acceptable level - never achieve 0 -
comparing costs/benefits
• use of deterrent, directive, preventive controls
• assess probability of loss occurring from exposure
• prob. of control system failure - can’t prevent all errors
• determine potential size of loss consequences
• use weighted exposure - assess prob * loss * importance
• use of detective controls - maximize chance at detection
Control Activities • Performance reviews - comparison of actual versus
budget, analyses and follow-ups; corrective action
• Information processing - general and application controls
• Physical controls - asset safeguarding, access controls, periodic counts and reconciliations of assets/records
• Segregation of duties - - authorizing - recording - custody
Information & Communication
• Information - methods and records to:
- identify and record all valid transactions
- properly classify transactions
- measure value
- record in proper time period
- present/disclose in f/s
• Communication - roles and responsibilities
Monitoring and Learning
• Monitoring - by management is critical
• Internal and external monitoring (customers, suppliers, etc.)
• CIO, CTO
• Steering committee to represent all key areas
• Internal audit, external audit
• External intelligence gathering firms such as
Gartner, Forrester, Jupiter, etc.
Limitations of Internal Control
• Circumvention by collusion or management override
• Cost/benefit trade-offs: operating efficiency vs. complex controls
• Changing conditions that may cause deterioration
• Materiality limits
• Reliance on human judgement in design and implementation of controls