Presentation on theme: "Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter Meeting February 21, 2008."— Presentation transcript:
Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter Meeting February 21, 2008
KLS Consulting LLC Outline zWhy this topic? zSEC interpretive guidance zABC’s implementation approach zDesign of the ITRA model zModel walk-through / Q&A
KLS Consulting LLC Why This Topic? GRC Spending Skyrockets GovernanceRiskCompliance Board and Entity Management Enterprise Risk Mgt (COSO, COCO) Public Companies (Sarbanes-Oxley, NYSE, Nasdaq, Turnbull, etc.) Corporate Policy and Procedure Management Operational Risk MgtSOX-Like (Japan, Canada, EU) IT Governance (CobiT, ISO & ISM) IT Risk Mgt (CobiT, ITIL, etc.) Specific Areas (PCI-DSS, AML, etc.) Internal Audit Departments Financial Institution Risk Mgt (Basel II, etc.) Personal Information (FTC, HIPAA, GLBA, COPPA, EUD, etc.)
KLS Consulting LLC Why This Topic? US Congress Responds
KLS Consulting LLC Why This Topic? Corporate Outcry Begins “The first-year implementation of new requirements for public companies’ internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.” Journal of Accountancy, Two Years and Counting, June 2007
KLS Consulting LLC Why This Topic? Fix: Audit Firms zPer the PCAOB Policy statement issued 5/16/05, the auditors should— yIntegrate their audits yTailor audit plans to their client’s risks yUse a top-down approach yUse the work of others yCommunicate directly and timely with clients
KLS Consulting LLC Why This Topic? SOX Year Two
KLS Consulting LLC Why This Topic? Corporate Outcry (Cont) zThe average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began. Source: “Second Anniversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services,
KLS Consulting LLC SEC Interpretive Guidance For Issuer Management zGuidance Regarding Management’s Report on Internal Control Over Financial Reporting yEffective Date: June 27, 2007 ywww.sec.gov/rules/interp/2007/ pdf zACTION: Interpretation.
KLS Consulting LLC SEC Interpretive Guidance Underlying Principles zManagement should: yEvaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. yBase its assessment of risk on the evaluation of evidence about the operation of its controls.
KLS Consulting LLC ITRA Overview - Approach zUse risk factors (risk assessment evaluation criteria) to assess the level of inherent risk and control risk for each application system. zUse the resultant risk ratings to determine the level of overall risk according to the Company's methodology. zUse the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures to be applied.
KLS Consulting LLC
ITRA Model Walk-Through
KLS Consulting LLC ITRA Run Settings zAssignment of point values to risk factors zBreak points which define Low, Medium, and High risk applications zExcluding risk factor categories from results zExcluding missing / unknown data
KLS Consulting LLC ITRA Risk Factors zInformation Categories yAPPL (Application Systems) yADOS (Application / Database Server Operating Systems yDBMS (Data Base Management Systems) zPlus basic APPL information zBias towards objective vs subjective evaluation criteria
KLS Consulting LLC ITRA APPL Basic Information zName zSOX-Indicator-IC-Dept zVendor-Name zOriginal-Implementation- Date zMajor-Release- Implementation-Date zSoftware-Version zSupport-Source z Infrastructure Management- Source z App-Server-OS-Vendor, Product, Version, & SP- Level z DB-Server-OS-Vendor, Product, Version, & SP- Level z DB-DBMS-Vendor, Product, Version, & SP-Level
KLS Consulting LLC ITRA APPL Risk Factors (1 of 2) zVendor-Reputation zMonths-Post-Original- Implementation-Date zMonths-Post-Major-Release- Date zVersion-Supported zUsers-Count zCustomization z User-Configurable z Simple-or-Complex-Logic z Interfaces-Total-Count z Interfaces-Manual-Count z Changes-Count-Normal z Changes-Count-Emergency z Failures-Count z Restores-Count
KLS Consulting LLC ITRA APPL Risk Factors (2 of 2) zGaps-Security-Count zGaps-Changes-Count zGaps-QAAR-Count zGaps-SOD-Count zGaps-Other-Count zOutages-Count-Days zOutages-Hours z Processes-Supported- Count z BP-Risk-Average- Inherent z Materiality-I-Count z Materiality-G-Count z Materiality-S-Count z IT Tier
KLS Consulting LLC ITRA ADOS Risk Factors zOutsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-Major zApp Server OS-Vendor- Reputation zDB Server OS-Vendor- Reputation zApp Server OS-Version- Supported z DB Server OS-Version- Supported z Changes-Count z Failures-Count z Gaps-Security-Count z Gaps-Changes-Count z Gaps-QOSR-Count z Gaps-Other-Count z Production-Server-Count
KLS Consulting LLC ITRA DBMS Risk Factors zVendor-Reputation zVersion-Supported zChanges-Count zFailures-Count z Gaps-Security-Count z Gaps-Changes-Count z Gaps-QDBR-Count z Gaps-Other-Count
KLS Consulting LLC ITRA Model Walk-Through (cont)
KLS Consulting LLC ITRA Major Data Sources zIC Department yAPPL Lists yCMS Reports yAPPL Narratives yDetailed Assessment yITGC Documentation yGap Logs zEvaluator Judgment zInternet Research z IT Department yAPPL Lists yInfrastructure Lists yChange Records yOutage Reports yProblem Reports z Outsourcers ySAS 70 Reports yChange Records yProblem Reports