it risk, control & audit · skills of it and non- it ... and control the enterprise in order to...
TRANSCRIPT
![Page 1: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/1.jpg)
IT Risk, Control &
Audit
1
![Page 2: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/2.jpg)
Computer Environment
Aud
it t
he G
ener
al C
ontr
ols
Audit the A
pplication Controls
Using Tools to Audit the Information
Computer Center Application
Application
DataFiles
DataFiles
2
![Page 3: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/3.jpg)
Values and Challenges
• Increase Productivity• Providing of New Services• Competitive Advantage• Better Decision Making• Improve Company Image
• Complexity of Controls• Increase Reliance on System• Increase Risks• Lack of Technical Personnel
3
![Page 4: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/4.jpg)
Impacts of IT on Internal Control & Audit
• Transaction Trails• Uniform processing of transactions• Segregation of functions• Potential for errors and frauds• Potential for increase management
supervision• Initiation or subsequent execution of
transactions by computers• Dependence of other controls
4
![Page 5: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/5.jpg)
5
![Page 6: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/6.jpg)
Risks
Definitions
Risk is anything that may have an impact on organisation’s ability to achieve its objectives.
6
![Page 7: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/7.jpg)
Risk Management Process
UnderstandObjectives
IdentifyRisks
AssessRisks
ResponseTo Risks
Monitoring
All steps would be monitored to ensure that risk and response are align at all time
LIKELIHOOD of occurrence and IMPACT to objective would be assess at both INHERENT and RESIDUALlevel.
Anything that can affect ability to achieve above objectives.
People, Process and Technology
IT objectives should be define in such a way that inline with business objectives. 7 IT objectives could be used as a basis.
If RESIDUAL risk is still exceed ACCEPTABLE risk, additional risk response should be implemented.
7
![Page 8: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/8.jpg)
IT Objectives
8
![Page 9: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/9.jpg)
IT Identification
2. Risk IdentificationPeople, Process & Technology
Internal & External
Hazard, Uncertainty & Opportunity
Root Cause
• Poor management (planning & policy)
• System (H/W & Technology
• Skills of IT and non-IT
• Processing management (design & executions)
• Security management (policy & procedure)
• System (H/W & Technology & network)
• User awareness
• Hackers, Viruses
• System & network design
• Hardware fails
• External sabotage
• Viruses & Attack
• No BCP, backup & recovery
• System design (input, process & output)
• Hackers & Unauthorised access
• Poor authority granting procedures
• Unaware or not understand rules and regulations
• No monitoring
9
![Page 10: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/10.jpg)
Risk Definition
Acceptable Risk (Risk Appetite)Inherent RiskResidual Risk
10
![Page 11: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/11.jpg)
Risk Response
1. Accepting2. Reducing3. Avoiding4. Sharing
(Take)(Treat)(Terminate)(Transfer)
Using CobiT can be used as a guideline of risk treatment
11
![Page 12: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/12.jpg)
Risk MatrixObjectives• Risk Factors• Risk Rating (Likelihood / Impact)• Current Controls• Acceptable Risk Rating• Control Improvement
Risk Factors Rating Current Controls Rating Control Improvements
L I L I
12
![Page 13: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/13.jpg)
Risk Map
G2
G3
A1
A2
A4
L1
J1C2
E1
C4
C1 H3
G5A5
A7B1
K1B5
C3
F1
E2
I3
I2Likelihood
Impact
5
4
3
2
1
1 2 3 4 5 13
![Page 14: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/14.jpg)
14
![Page 15: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/15.jpg)
22/11/07Page 15
IT Governance – The definition
“A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”
The relationships are between management and its governing body.
The processes cover:-- setting objectives-- giving direction on how to attain them-- measuring performance
![Page 16: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/16.jpg)
Resource Management
IT Governance components
IT Governance focus on
• IT Value Delivery
•Managing Risks
Page 16
![Page 17: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/17.jpg)
Critical mission for IT & Business Alignment
• Ensure that board members and other senior managers are continuously educated in IT.
• Ensure that IT leadership and key IT managers are given resources (especially time) to help them fully understand the business, its industry and its markets.
• Ensure that IT is a regular item on the board agenda, not just annually as part of the budgeting process.
• Embed the IT planning (three years of plan and budget) process into the enterprise strategic planning process.
• Establish an appropriate IT-related committee structures
Page 17
![Page 18: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/18.jpg)
IT Value Delivery
• What are the values that IT will deliver to an organisation
• Increasing in productivity• Providing new services• Competitive advantages• Better image
• How the values will be delivered.• In line with business requirements• Flexible for future needs• Ease of use, durable and safe
Page 18
![Page 19: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/19.jpg)
Risk Management
• Establish IT risk assessment process• Continuously assess IT risks• Define clear roles and responsibilities• Regular report on risks• Embedded risk management in IT
processes
Page 19
![Page 20: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/20.jpg)
22/11/07Page 20
Performance Measurement
![Page 21: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/21.jpg)
Page 21
![Page 22: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/22.jpg)
Overview
Page 22
![Page 23: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/23.jpg)
Product Family
Page 23
![Page 24: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/24.jpg)
COBIT 5 is base on 5 principlesCustomized benefits realization & optimize risks(Goals cascade)
All functions and processes (not only IT)
Align with other standards & Frameworks
(at high level)
Taken into account several interacting components (7 enablers)
Clear Distinction between Governance & management
Page 24
![Page 25: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/25.jpg)
Principle 1 – Meeting Stakeholder Needs (Cont)
Page 25
![Page 26: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/26.jpg)
Page 26
![Page 27: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/27.jpg)
Principle 2 – Covering the Enterprise
Page 27
![Page 28: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/28.jpg)
Principle 3 – A Single Integrated Framework
Page 28
![Page 29: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/29.jpg)
Principle 4 – A Holistic Approach
Page 29
![Page 30: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/30.jpg)
Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.
Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
- Governance
- Management
Principle 5 - Separate Governance from Management
Page 30
![Page 31: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/31.jpg)
Enabling Process
Page 31
![Page 32: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/32.jpg)
COBIT 5 – Process Reference Model
EDM01 Ensure Governance Framework Setting and Maintenance
EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimisation
EDM04 Ensure Resource Optimisation
EDM05 Ensure Stakeholder Transparency
Evaluate, Direct and Monitor
MEA01 Monitor, Evaluate and Assess Performance and Conformance
Monitor, Evaluate and Assess
MEA02 Monitor, Evaluate and Assess the System of Internal Control
MEA03 Monitor, Evaluate and Assess Compliance with External Requirements
APO01 Manage the IT Management Framework
APO02 Manage Strategy
APO03 Manage Enterprise Architecture
APO04 Manage Innovation
APO05 Manage Portfolio
APO06 Manage Budget and Costs
APO07 Manage Human Resources
Align, Plan and Organise
APO08 Manage Relationships
APO09 Manage Service Agreements
APO10 Manage Suppliers
APO11 Manage Quality
APO12 Manage Risk
APO13 Manage Security
BAI01 Manage Programs and Projects
BAI02 Manage Requirements Definition
BAI03 Manage Solutions Identification and Build
BAI04 Manage Availability and Capacity
BAI05 Manage Organisational Change Enablement
BAI06 Manage Changes
BAI07 Manage Change Acceptance and Transitioning
Build, Acquire and Implement
BAI08 Manage Knowledge
BAI09 Manage Assets
BAI10 Manage Configuration
DSS01 Manage Operations
DSS02 Manage Service Requests and Incidents
DSS03 Manage Problems
DSS04 Manage Continuity
DSS05 Manage Security Services
DSS06 Manage Business Process Controls
Deliver, Service and Support
Page 32
![Page 33: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/33.jpg)
COBIT 5 – Process Reference Model
Details of Each process
Process Description
Process Purpose Statement
IT Related Goals Related Metrics
Process Goals Related Metrics
Key Management Practice RACI Chart
Inputs OutputsManagement Practice
Activities
Related StandardsPage 33
![Page 34: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/34.jpg)
IT Controls
34
![Page 35: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/35.jpg)
Component of IT Controls
• IT Control Environment (Entity Level Control)
• IT General Control
• IT Application Control
35
![Page 36: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/36.jpg)
Component of IT Controls
Control EnvironmentITGC App Control
DataFiles
DataFiles
36
![Page 37: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/37.jpg)
Controls Environment
• IT Policies & Procedures
• IT Organisation Structures (Roles & Responsibilities)
• Human Resource Management
• Tone at the Top
• Culture
37
![Page 38: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/38.jpg)
Controls Environment
IT Policies & Procedures• IT usage policy• IT security policy• System development policy• System development and change procedures• Security Administration procedure• IT Operation procedure & manual
38
![Page 39: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/39.jpg)
IT General Controls (ITGC)
39
![Page 40: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/40.jpg)
IT General Control (ITGC)
• is a foundation to the overall control of the IT environment
• is mainly responsible by IT management, and mostly within the IT department
• COBIT is a good collection of all ITGC.
40
![Page 41: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/41.jpg)
IT General Controls (ITGC)
• System development & changes
• Operation
• Disaster recovery plan
• Security Management
41
![Page 42: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/42.jpg)
System Development &Changes
42
![Page 43: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/43.jpg)
Who should be involve ?
• Senior management
• User management & staff
• IT management & staff
• Auditors (?)
• Project Manager
• Project Owner
• Project Sponsor
43
![Page 44: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/44.jpg)
Type of System Development
• In-House Development• Purchase Commercial Software• Considerations
• Implementation time• Cost• Reliability• Independence• Customisation• Maintenance
Future Concern
44
![Page 45: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/45.jpg)
Systems Development Today
45
![Page 46: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/46.jpg)
Risks and ControlsWHAT MANAGEMENT NEEDS TO KNOW
Are we buildingthe right product?
Are we building the product right?
46
![Page 47: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/47.jpg)
Systems Development
Initiation
Phase Control Objective
• Project objectives have been clearly defined, documented and communicated.
• Organizational structure, and reporting mechanism are properly defined.
47
![Page 48: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/48.jpg)
Analysis
Phase Control Objective
Business and control requirements are clearly defined and documented.Requirements are consistent with objectives.
Auditing Systems Development
48
![Page 49: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/49.jpg)
Design
Phase
•Design incorporates business requirements
•Design incorporates control requirements
•Design incorporates audit requirements
•Auditor requirements - embedded audit routines- exception reports
Auditing Systems DevelopmentControl Objective
49
![Page 50: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/50.jpg)
Construction
Phase
New system is adequately tested
- Comprehensive test plan- Business user involvement- IS involvement- Audit involvement- Documenting test results
All requirements are tested
Auditing Systems DevelopmentControl Objective
50
![Page 51: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/51.jpg)
Implementation
Phase
•Critical operational controls have been implemented
•Business user approval
•System is migrated via a protected environment
•System performs as designed
•Original business requirements are satisfied.
Auditing Systems DevelopmentControl Objective
51
![Page 52: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/52.jpg)
System Implementation
• Direct cutover
• Parallel Implementation
• Pilot Implementation
• Phase (module) implementation
• System Manual
• Operation Manual
• User Manual
• User Procedural
System Documentation
52
![Page 53: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/53.jpg)
System Changes
53
![Page 54: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/54.jpg)
Controls must cover• Request/Approve• Feasibility Studies• Design/Construction• Testing• Programs Transfers• Parallel Testing• System Documentation
Background
General Controls - System Change
![Page 55: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/55.jpg)
Disaster Recovery Plan
![Page 56: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/56.jpg)
The Hamburger Model
T
H R E A T S
Your Business
Safety Net
Impact
Shield
Emergency Response
Fire, Flood, Storm, BombPower and EquipmentFailures, Computer system breakdown
Access Controls,Hazard detection &prevention, Redundancy,Backup
Evacuate, Medical,Public relation,Emergency funds
Massive disruption tobusiness operations,Adverse media coverage,Poor image,Customer confidence,Financial loss
BUSINESSCONTINUITYPLAN
DISASTERRECOVERYPLAN
![Page 57: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/57.jpg)
What is the right approach and/or solutions?
Risk Analysis
![Page 58: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/58.jpg)
Business Continuity Plan
• AN INTEGRATED SET OF PROCEDURES AND RESOURCE INFORMATION THAT IS USED TO RECOVER FROM AN EVENT THAT HAS CAUSED A DISRUPTION TO BUSINESS OPERATIONS.
• IT ANSWERS THE NEWSPAPER QUESTIONS:• WHO, WHAT, WHEN, WHERE, WHY, HOW
![Page 59: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/59.jpg)
IT Operation
![Page 60: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/60.jpg)
IT Operation comprises•Turn on/off systems •Monitor usage•Problems/incidents handling•Batch processing•Backup/Restore•Report printing & distribution
![Page 61: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/61.jpg)
IT Operation controls•Steps are clearly defined.•Adequate training •Supervision
![Page 62: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/62.jpg)
System Security
![Page 63: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/63.jpg)
Security
• Security can be broadly defined as the control structure established to manage:
• Confidentiality• Integrity• Availability
• of IS data and resources.
Background
![Page 64: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/64.jpg)
Security
Effective security includes:
• Management and administration
• Logical security
• Physical security
Background
![Page 65: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/65.jpg)
Security
• Policy is also legal and human resources document and should be handled accordingly.
• All users should sign indicating understanding and agreement to comply with security policy.
• All users should periodically verify (typically annually) continued understanding and compliance with security policy.
Controls - Security Policy
![Page 66: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/66.jpg)
Security
Minimum length, e.g. 8 characters
Alphanumeric plus special characters
Expire every certain days, e.g. 120 days
Non-repeatable, e.g. last 10 usages
Not easily guess password, e.g. non-dictionary words
Non-sharing
Suspense after certain numbers of invalid sign-on attempts
Non-display during log-in
Password Controls -
![Page 67: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/67.jpg)
How well do crackers crack password?
![Page 68: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/68.jpg)
Security
Typically involves:• Physical access to hardware, software, and data• Fire prevention, detection, and control• Environmental hazard prevention, detection, and
control
Safety of employees and personnel on-site must be first concern.
Controls - Physical Security
![Page 69: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/69.jpg)
Security
Software-based controls that allow:
• Identification of individual users of IS data and resources
• Restrict of access to specific data or resources
• Generation of audit trails of system and user activity
Controls - Logical Security
![Page 70: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/70.jpg)
Access Control
Sales System
Accounting System
Acc
ess
Con
trol
(O/S
)
AccessControl(A/P)
AccessControl(A/P)
Acc
ess
Con
trol
(O/S
)
Database/
Files/Tables
![Page 71: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/71.jpg)
Introduction to OS (cont)
Access Control Program• Authentication• Authorization• Audit Logging
![Page 72: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/72.jpg)
Introduction to OS (cont)
Authentication• Identify and confirmation of individual using pre-defined
Access data stored in the systems• Types of Authentication
- Knowledge- Possession- Characteristic
![Page 73: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/73.jpg)
Introduction to OS (cont)
Authorisation• Check individual authorisation before allow access to
specific computer resources (e.g. data file, program, command, devices, communication capabilities, etc.)
• Individual rights & Resources protection• Best practice - allow access on a “need-to-use” basis only
![Page 74: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/74.jpg)
Introduction to OS (cont)
Audit Logging• Recording critical activities, such as privilege ID’s, Critical
process, data, utilities usages, security events.• Reviews and Log Maintenance
![Page 75: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/75.jpg)
DATABASE
![Page 76: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/76.jpg)
DatePage 76
<footer>
Flat File vs Database
Database
DBMS
DBMS
Acct
Mkt
Query 1 Query 2
Finance
Prod
customer
invoices
Receipts
Products
![Page 77: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/77.jpg)
DatePage 77
<footer>
Database Model
Use
rs
ApplicationsUser
Program
UserProgram
UserProgram
UserProgram
Trans
Trans
Trans
Trans
DBMSDataDefinitionLanguage
DataManipulationLanguage
QueryLanguage
Host OperatingSystem
PhysicalDatabase
SystemDevelopment
DatabaseAdministrator
![Page 78: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/78.jpg)
Computer Network
![Page 79: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/79.jpg)
Network Components
• Computer Servers/Desktops (with network communication hardware)
• Cable/wire/wireless• Network Equipment
• Router• Firewall• Bridge• Repeater
• Protocol
![Page 80: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/80.jpg)
Network Terminology
• Public Network• Private Network• Virtual Private Network
![Page 81: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/81.jpg)
Network Controls
• Network Design (Zoning & Segmentation)• Network Equipment placement and setting• Network security software• Others
![Page 82: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/82.jpg)
DatePage 82
<footer>
Network Zoning
![Page 83: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/83.jpg)
DatePage 83
<footer>
Network Equipment - Firewall
Controls• OS Controls• Firewall Admin restrictions• RuleBase Setting
![Page 84: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/84.jpg)
Application Controls
![Page 85: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/85.jpg)
Application Controls
• Specific to applications, and independence from other applications
• Address completeness, accuracy, validity and authorization of data being processed by the system
• Controls can be “automated” or “manual” and can be “preventive”, “detective” or “corrective”
• Automated Processing
• Level of control is depending on level of business risk
Background
![Page 86: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/86.jpg)
Application Controls
• Application functions may not be adequately segregated
• Users may have excess system authorities
• Transactions may be entered incorrectly, incompletely, more than once, or not timely.
• Transactions may be processed incorrectly, incompletely, more than once, or not timely.
• Outputs may not be properly and safely used.
Risks
![Page 87: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/87.jpg)
Application Controls
1. Access to application functions (Segregation of duties within application)
2. Input Controls (incl. Reject/Suspend inputs, Interfaces)1. Planning & Design2. Edit/Validate by the system, 3. Procedures to review accuracy and completeness of
input3. Processing Controls4. Output Controls (Usage & confidentiality)
Background
![Page 88: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/88.jpg)
88
![Page 89: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/89.jpg)
Computer Environment
Aud
it t
he G
ener
al C
ontr
ols
Audit the A
pplication Controls
Using Tools to Audit the Information
Computer Center Application
Application
DataFiles
DataFiles
89
![Page 90: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/90.jpg)
IT Auditing Areas
90
![Page 91: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/91.jpg)
Advice for Improvement /
Substantive Test
ControlledRisks
UncontrolledRisks
Risk
InternalControls
Controls
TestEfficiencyof controls
Audit
RISK BASE AUDIT APPROACH
91
![Page 92: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/92.jpg)
92
![Page 93: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/93.jpg)
Follow-Up Reporting Execution AssignmentPlanning
Auditing ProcessStrategicPlanning
93
![Page 94: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/94.jpg)
Business Objectives
Follow-Up Reporting Execution AssignmentPlanning
StrategicPlanning
Define Auditable Areas
Risk Assessment
Define Weight of Objectives
Define Risk Factors
Assessment
PrioritiseDefine Audit Approach
Identify Resources
Audit Schedule
Audit Strategic Plan
Auditing Process
94
![Page 95: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/95.jpg)
Obtain Understandings
Follow-Up Reporting Execution AssignmentPlanning
StrategicPlanning
System Documentation
Walk-Through Testing
Risk/Control AnalysisIdentify Risks
Risks vs Control ProceduresIdentify Key Controls
Prepare Audit Programs Procedures vs Audit Instructions
Allocate Staff
Auditing Process
95
![Page 96: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/96.jpg)
Computer Assisted Audit Technique(CAAT)
![Page 97: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/97.jpg)
Computer Environment
Aud
it t
he G
ener
al C
ontr
ols
Audit the A
pplication Controls
Using Tools to Audit the Information
Computer Center Application
Application
DataFiles
DataFiles
97
![Page 98: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/98.jpg)
• Who should be responsible for CAAT ?
• Ideally, general auditor should be responsible for all steps.
• In reality, computer auditor play a supporting roles.
Nature of CAAT
98
![Page 99: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/99.jpg)
• Mix of Computer and Manual Tests• Computer Knowledge, Expertise and Experience of the
Auditor• Reliability of General Computer Controls• Availability of CAATs and Suitable Facilities• Impracticability of Manual Audit Procedures• Effectiveness and Efficiency of the Testing• Development Time
CAAT Considerations
99
![Page 100: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/100.jpg)
• Detailed testing of transactions, data, and processes where efficiency and effectiveness can be gained, or in case where manual testing is not possible or feasible, including
• Testing of Accuracy & Completeness of Processes
• Analysis and test of data• Fraud analysis & Evidence collection
CAAT Objectives
100
![Page 101: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/101.jpg)
Parallel Simulation
1
Removable storage
Download2
DevelopCAAT Program
3
CO
MPA
RE
5
ApplicationProcess
Report
Run CAATProgram
4
Report
101
![Page 102: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/102.jpg)
COPY
CopiedProgram
1
CO
MPA
RE
4
ApplicationProgram Report
Removable storage
CAAT Data
PrepareCAAT Data
2
Report
ManualCalculation
3Report
Test Data Approach / Test Transactions
102
![Page 103: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/103.jpg)
CAAT Steps Determine if CAAT is
Appropriate ?
1DefineAudit
Objectives
2DetermineRequired
Data
3ArrangeFor data
Download
4Perform
Analysis &Testing
5Summarise
&Document
6
103
![Page 104: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/104.jpg)
CAAT Steps Determine if CAAT is
Appropriate ?
1DefineAudit
Objectives
2DetermineRequired
Data
3ArrangeFor data
Download
4Perform
Analysis &Testing
5Summarise
&Document
6
Audit objectives should link to business risks or audit risksAuditor require an understanding of the systemConsult with system development group before finalize
MathematicsAccuracy
AnalyticalReview
Validity (exception testing & duplicates)
Completeness (gaps)
Cut-off
104
![Page 105: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/105.jpg)
CAAT Steps Determine if CAAT is
Appropriate ?
1DefineAudit
Objectives
2DetermineRequired Data
3ArrangeFor data
Download
4Perform
Analysis &Testing
5Summarise
&Document
6
Understand business process and conditionsField and record conditionsUnderstand calculation formula and methodsConceptual designing of the testingBuild & TestActual analysis & testing
105
![Page 106: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/106.jpg)
Audit Software
• Generalised Audit Software
• Specialised Audit Software
• Report Writer Utilities / Query Language
• Micro Computer Applications
106
![Page 107: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/107.jpg)
107
![Page 108: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/108.jpg)
PwC
Control quadrant: Cost vs. flexibility
High flexibility
Low flexibility
Highcost
Lowcost
Manual detective controls
Real-time detective controls
Automatedpreventive
controls
Manualpreventive
controls
*
108
![Page 109: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/109.jpg)
Continuous Assurance
Combination of continuous auditing and audit oversight of continuous
monitoring
Continuous Auditing
Includes monitoring, assessing and mitigating risk associated with operations, finance, fraud, automatically and on a more
frequent basis.
Performed by Internal Audit or Controls Dept.
Continuous Monitoring
Includes the processes that management puts in place to ensure that the policies, procedures, and business processes are operating
effectively.
Performed by operational/financial
management
Continuous Controls MonitoringContinuous auditing overview
![Page 110: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/110.jpg)
ANNUALRisk
AssessmentAudit Plan
FieldworkTechnology is being
applied here (in audit management and data analysis), to speed up audit
process…
Reporting Wrap-Up
Internal Audit Process Framework – as isTechnology as an enabler 110
![Page 111: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/111.jpg)
How CM/CA should be developed.
Transactions
GL
Accounts
ProcessAnalytics
Analyze4
Manage &Report5
Approvals
AnalyticsWorkbench
Extractor Data
Acquire &Prepare3
Billing
ERP
HR
Custom
Source Systems
Planning1 Risk Assessment2
Choose the right area/business
process
Identify key risks Indicators Data require for
analysis
![Page 112: IT Risk, Control & Audit · Skills of IT and non- IT ... and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing ... Enterprise Architecture](https://reader035.vdocuments.net/reader035/viewer/2022070912/5fb3ff727d46153c555fcd15/html5/thumbnails/112.jpg)
112