it risks and controls - · pdf fileit risks and controls ... when designing internal controls:...
TRANSCRIPT
IT Risks and Controls
Revised on 2014
Content
• Internal Control
What is internal control?
Objectives of internal controls
Types of internal controls
Elements of internal controls
Categories of internal controls
• Risk
Risk management control
Types of risk
Risk IT framework by ISACA
CIS
B424, Sulfeeza
Internal Control
Any action taken by management to enhance the likehood that established objectives and goals will be achieved
(Source: Cascarino, 2012)
Objectives and goals of an organization can be divided into:a) Corporate objectives – the statement of corporate
intentb) Management objectives – how the corporate objectives
will be met
CIS
B424, Sulfeeza
Internal Control
Whose responsibility?• Management is responsible to ensure that
controls are properly planned, organized and directed
a) Planning – establishing control objectives, goals and choosing the preferred method of utilizing resources
b) Organizing – gathering the required resources and arranging them so that objectives may be attained
c) Directing – authorizing, instructing and monitoring performance
CIS
B424, Sulfeeza
Objectives of Internal Control
1. Reliability and integrity of information2. Compliance with policies, plans,
procedures, laws and regulations3. Safeguarding assets4. Effectiveness and efficiency of
operations
CIS
B424, Sulfeeza
Types of Internal Control1. Preventive controls – Steps designed to keep
errors or irregularities from occurring in the first place
2. Detective controls – steps designed to detect errors or irregularities that may have occurred
3. Corrective controls - steps designed to correcterrors or irregularities that have been detected
4. Directive controls – steps designed to produce positive results and encourage acceptable behaviors
5. Compensating controls – a weakness in one control may be compensated by another control elsewhere
(Source: Cascarino, 2012; https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf)
CIS
B424, Sulfeeza
Elements of Internal Control
Management must ensure the followings when designing internal controls: 1. Segregation of duties2. Competence and integrity of people3. Appropriate level of authority4. Accountability5. Adequate resources6. Supervision and review
(Source: Cascarino, 2012)
CIS
B424, Sulfeeza
Limitations of Internal Control1. Judgment
2. Breakdowns
3. Management Override
4. Collusion
(Source: https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf)
CIS
B424, Sulfeeza
Categories of IT controls
• Objectives of IT controls are related to the confidentiality, integrity, availabilityof data and the overall management of IT function in an organization
• IT controls can be categorized as:1. IT general controls 2. IT application controls
(Source: Wikipedia)
CIS
B424, Sulfeeza
IT General Controls
• Helps to ensure the reliability of data generated by IT systems
• Areas included:1. General IT controls2. Computer operations3. Physical security4. Logical security5. Program change control6. Systems development
(Source: Cascarion, 2012, Wikipedia)
CIS
B424, Sulfeeza
IT Application Controls
• Helps to ensure the completeness and accuracy of data processing, from input to output
• Among the controls that can be implemented:1. Completeness check2. Validity check3. Identification4. Authentication5. Authorization6. Input controls7. Forensic controls
(Source: Wikipedia)
CIS
B424, Sulfeeza
Policies
IT Standards
Management and Organization
Physical and Environmental Controls
Systems Software Controls
Systems Development Controls
Application – based controls
IT General and Application Controls
Hierarchy
Govern
ance
Managem
ent
Technic
al
CIS
B424, Sulfeeza
RisksA probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action
(Source: BusinessDictionary.com)
CIS
B424, Sulfeeza
Risks
So what are threat and vulnerabilities?• Threat – A possible danger that might exploit a vulnerability to breach security and thus cause possible harm (Source: Wikipedia)
• Vulnerabilities - A weakness of an asset orgroup of assets that can be exploited by oneor more threats
(Source: ISO)
CIS
B424, Sulfeeza
Types of Risks1. Business Risk – The possibility that a company will
have lower than anticipated profits, or that it will experience a loss rather than a profit (Source: Investopedia)
2. Audit Risk a) Inherent Risk – The probability of loss arising out
of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances (Source: BusinessDictionary.com)
b) Control Risk – The likelihood that the control processes established to manage inherent risk are proved to be ineffective (Source: Cascariona, 2012)
c) Residual Risk – The risk that significant business exposures have not been adequately addressed by the audit process (Source: Cascariona, 2012)
3. Continuity Risk – The possibility that a company
will not be able to continue its operations due to weakness in control
CIS
B424, Sulfeeza
IT Risks
The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence (Source: ISO)
CIS
B424, Sulfeeza
Categories of IT Risks
1. IT service delivery risk - associated with the performance and availability of IT services
2. IT solution delivery/benefit realization risk - associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs
3. IT benefit realization risk - associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or to use technology as an enabler for new business initiatives
CIS
B424, Sulfeeza
Risk Management
The process which aims to help organizations to understand, evaluateand take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure
(Source: Institute of Risk Management)
CIS
B424, Sulfeeza
Risk IT Framework
CIS
B424, Sulfeeza
Domains of Risk IT Framework
a)Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.
b)Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms.
c)Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.
CIS
B424, Sulfeeza
Domains of Risk IT Framework
a)Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.
b)Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms.
c)Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.
CIS
B424, Sulfeeza