risk management. it controls risk management process risk management process it controls it controls...
TRANSCRIPT
![Page 1: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/1.jpg)
Risk ManagementRisk Management
![Page 2: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/2.jpg)
IT ControlsIT Controls
Risk management processRisk management process
IT controlsIT controls
IT Governance FrameworksIT Governance Frameworks
2
![Page 3: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/3.jpg)
3
The Risk Management ProcessThe Risk Management ProcessIdentify IT
Risks
Assess IT Risks
Identify IT Controls
Document IT Controls
Monitor IT Risks and Controls
![Page 4: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/4.jpg)
4
IT and Transaction ProcessingIT and Transaction Processing
The IS collects transaction dataThe IS collects transaction data
The IS turns data into informationThe IS turns data into information
Computerized transactions systems increase Computerized transactions systems increase some risks and decrease otherssome risks and decrease others
![Page 5: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/5.jpg)
5
AIS Threat ExamplesAIS Threat Examples
FraudFraud Computer crimesComputer crimes Nonconformity with agreements & Nonconformity with agreements &
contracts between the organization & third contracts between the organization & third partiesparties
Violations of intellectual property rights Violations of intellectual property rights Noncompliance with other regulations & Noncompliance with other regulations &
laws.laws.
![Page 6: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/6.jpg)
6
Types of IT RisksTypes of IT Risks
Business riskBusiness risk Audit risk = IR * CR * DRAudit risk = IR * CR * DR
– inherent risk (IR)inherent risk (IR)– control risk (CR)control risk (CR)– detection risk (DR)detection risk (DR)
Security riskSecurity risk Continuity riskContinuity risk
![Page 7: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/7.jpg)
7
Valuation of AssetValuation of AssetWhat do we stand to lose?What do we stand to lose?
Assets: People, Data, Hardware, Software, Assets: People, Data, Hardware, Software, Facilities, (Procedures)Facilities, (Procedures)
Valuation MethodsValuation Methods– Criticallity to the organization’s successCriticallity to the organization’s success– Revenue generatedRevenue generated– ProfitabilityProfitability– Cost to replaceCost to replace– Cost to protectCost to protect– Embarrassment/LiabilityEmbarrassment/Liability
![Page 8: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/8.jpg)
8
![Page 9: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/9.jpg)
9
IT ControlsIT Controls COSO identifies two groups of IT controls:COSO identifies two groups of IT controls:
– Application controls – Application controls – apply to specific apply to specific applications and programs, andapplications and programs, and ensure data ensure data validity, completeness and accuracyvalidity, completeness and accuracy
– General controls – General controls – apply to all systems and apply to all systems and address IT governance and infrastructure, security address IT governance and infrastructure, security of operating systems and databases, and of operating systems and databases, and application and program acquisition and application and program acquisition and development development
![Page 10: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/10.jpg)
10
Application Control GoalsApplication Control Goals
Input validityInput validity– Input data approved and represent actual Input data approved and represent actual
economic events and objectseconomic events and objects Input completenessInput completeness
– Requires that all valid events or objects be Requires that all valid events or objects be captured and entered into the systemcaptured and entered into the system
Input AccuracyInput Accuracy– Requires that events be correctly captured and Requires that events be correctly captured and
entered into the systementered into the system
![Page 11: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/11.jpg)
11
Classification of ControlsClassification of ControlsPreventive Controls: Issue is prevented from Preventive Controls: Issue is prevented from
occurring – cash receipts are immediately occurring – cash receipts are immediately deposited to avoid lossdeposited to avoid loss
Detective Controls: Issue is discovered – Detective Controls: Issue is discovered – unauthorized disbursement is discovered unauthorized disbursement is discovered during reconciliationduring reconciliation
Corrective Controls: issue is corrected – Corrective Controls: issue is corrected – erroneous data is entered in the system and erroneous data is entered in the system and reported on an error and summary report; a reported on an error and summary report; a clerk re-enters the dataclerk re-enters the data
![Page 12: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/12.jpg)
12
Segregation of DutiesSegregation of Duties
Transaction authorization is separate from Transaction authorization is separate from transaction processing.transaction processing.
Asset custody is separate from record-keeping Asset custody is separate from record-keeping responsibilities.responsibilities.
The tasks needed to process the transactions are The tasks needed to process the transactions are subdivided so that fraud requires collusion.subdivided so that fraud requires collusion.
![Page 13: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/13.jpg)
13
Separation of Duties within ISSeparation of Duties within IS
![Page 14: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/14.jpg)
14
Documenting IT ControlsDocumenting IT Controls
Internal control narrativesInternal control narratives Flowcharts – internal control flowchartFlowcharts – internal control flowchart IC questionnairesIC questionnaires
![Page 15: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/15.jpg)
15
Risk Control StrategiesRisk Control Strategies AvoidanceAvoidance
– Policy, Training and Education, or TechnologyPolicy, Training and Education, or Technology
TransferenceTransference – – shifting the risk to other assets, shifting the risk to other assets, processes, or organizations (insurance, processes, or organizations (insurance, outsourcing, etc.)outsourcing, etc.)
MitigationMitigation – – reducing the impact through reducing the impact through planning and preparationplanning and preparation
AcceptanceAcceptance – – doing nothingdoing nothing if the cost of if the cost of protection does not justify the expense of the protection does not justify the expense of the controlcontrol
![Page 16: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/16.jpg)
16
Monitoring IT Risks Monitoring IT Risks and Controlsand Controls
CobiT control objectives associated with CobiT control objectives associated with monitoring and evaluationmonitoring and evaluation
Need for independent assurance and audit Need for independent assurance and audit of IT controlsof IT controls
![Page 17: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/17.jpg)
17
![Page 18: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/18.jpg)
18
IT GovernanceIT Governance……the process for controlling an organization’s the process for controlling an organization’s IT resources, including information and IT resources, including information and communication systems, and technology. communication systems, and technology.
……using IT to promote an organization’s using IT to promote an organization’s objectives and enable business processes and objectives and enable business processes and to manage and control IT related risks.to manage and control IT related risks.
IT Auditors ensure IT governance by assessing IT Auditors ensure IT governance by assessing risks and monitoring controls over those risksrisks and monitoring controls over those risks
![Page 19: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/19.jpg)
19
COSO and Internal Control (IC)COSO and Internal Control (IC)
COSO – 5 components of IC COSO – 5 components of IC – Control environmentControl environment– Risk assessmentRisk assessment– Control activitiesControl activities– Information and communicationInformation and communication– MonitoringMonitoring
International IC StandardsInternational IC Standards– CadburyCadbury– CoCoCoCo– Other country standardsOther country standards
![Page 20: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/20.jpg)
20
ISACA’s CobiTISACA’s CobiT Integrates IC with information and ITIntegrates IC with information and IT Three dimensions: information criteria, IT Three dimensions: information criteria, IT
processes, and IT resourcesprocesses, and IT resources Requirements (information criteria) of quality, Requirements (information criteria) of quality,
fiduciary, and securityfiduciary, and security Organizes IT internal control into domains and Organizes IT internal control into domains and
processesprocesses– Domains: planning and organization, acquisition and Domains: planning and organization, acquisition and
implementation, delivery and support, and monitoringimplementation, delivery and support, and monitoring
– Processes detail steps in each domainProcesses detail steps in each domain
![Page 21: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/21.jpg)
21
IT Control Domains and IT Control Domains and ProcessesProcesses
![Page 22: Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks](https://reader035.vdocuments.net/reader035/viewer/2022062217/56649eb15503460f94bb6c8c/html5/thumbnails/22.jpg)
22
What do IT auditors do?What do IT auditors do?
Ensure IT governance by assessing risks Ensure IT governance by assessing risks and monitoring controls over those risksand monitoring controls over those risks
Works as either internal or external auditorWorks as either internal or external auditor
Works on many kind of audit engagementsWorks on many kind of audit engagements