Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter Meeting February 21, 2008.

Similar presentations


Presentation on theme: "Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter Meeting February 21, 2008."— Presentation transcript:

1 Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter Meeting February 21, 2008

2 KLS Consulting LLC Outline zWhy this topic? zSEC interpretive guidance zABC’s implementation approach zDesign of the ITRA model zModel walk-through / Q&A

3 KLS Consulting LLC Why This Topic? GRC Spending Skyrockets GovernanceRiskCompliance Board and Entity Management Enterprise Risk Mgt (COSO, COCO) Public Companies (Sarbanes-Oxley, NYSE, Nasdaq, Turnbull, etc.) Corporate Policy and Procedure Management Operational Risk MgtSOX-Like (Japan, Canada, EU) IT Governance (CobiT, ISO 17799 & 27001-ISM) IT Risk Mgt (CobiT, ITIL, etc.) Specific Areas (PCI-DSS, AML, etc.) Internal Audit Departments Financial Institution Risk Mgt (Basel II, etc.) Personal Information (FTC, HIPAA, GLBA, COPPA, EUD, etc.)

4 KLS Consulting LLC Why This Topic? US Congress Responds

5 KLS Consulting LLC Why This Topic? Corporate Outcry Begins “The first-year implementation of new requirements for public companies’ internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.” Journal of Accountancy, Two Years and Counting, June 2007

6 KLS Consulting LLC Why This Topic? Fix: Audit Firms zPer the PCAOB Policy statement issued 5/16/05, the auditors should— yIntegrate their audits yTailor audit plans to their client’s risks yUse a top-down approach yUse the work of others yCommunicate directly and timely with clients

7 KLS Consulting LLC Why This Topic? SOX Year Two - 2005

8 KLS Consulting LLC Why This Topic? Corporate Outcry (Cont) zThe average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began. Source: “Second Anniversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services, www.issproxy.comwww.issproxy.com

9 KLS Consulting LLC Why This Topic? Fix: Issuer (& Audit Firms)

10 KLS Consulting LLC SEC Interpretive Guidance For Issuer Management zGuidance Regarding Management’s Report on Internal Control Over Financial Reporting yEffective Date: June 27, 2007 ywww.sec.gov/rules/interp/2007/33-8810.pdf zACTION: Interpretation.

11 KLS Consulting LLC SEC Interpretive Guidance Underlying Principles zManagement should: yEvaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner. yBase its assessment of risk on the evaluation of evidence about the operation of its controls.

12 KLS Consulting LLC SEC Interpretive Guidance Benefits

13 KLS Consulting LLC ITRA Overview - Approach zUse risk factors (risk assessment evaluation criteria) to assess the level of inherent risk and control risk for each application system. zUse the resultant risk ratings to determine the level of overall risk according to the Company's methodology. zUse the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures to be applied.

14 KLS Consulting LLC

15 ITRA Model Walk-Through

16 KLS Consulting LLC ITRA Run Settings zAssignment of point values to risk factors zBreak points which define Low, Medium, and High risk applications zExcluding risk factor categories from results zExcluding missing / unknown data

17 KLS Consulting LLC ITRA Risk Factors zInformation Categories yAPPL (Application Systems) yADOS (Application / Database Server Operating Systems yDBMS (Data Base Management Systems) zPlus basic APPL information zBias towards objective vs subjective evaluation criteria

18 KLS Consulting LLC ITRA APPL Basic Information zName zSOX-Indicator-IC-Dept zVendor-Name zOriginal-Implementation- Date zMajor-Release- Implementation-Date zSoftware-Version zSupport-Source z Infrastructure Management- Source z App-Server-OS-Vendor, Product, Version, & SP- Level z DB-Server-OS-Vendor, Product, Version, & SP- Level z DB-DBMS-Vendor, Product, Version, & SP-Level

19 KLS Consulting LLC ITRA APPL Risk Factors (1 of 2) zVendor-Reputation zMonths-Post-Original- Implementation-Date zMonths-Post-Major-Release- Date zVersion-Supported zUsers-Count zCustomization z User-Configurable z Simple-or-Complex-Logic z Interfaces-Total-Count z Interfaces-Manual-Count z Changes-Count-Normal z Changes-Count-Emergency z Failures-Count z Restores-Count

20 KLS Consulting LLC ITRA APPL Risk Factors (2 of 2) zGaps-Security-Count zGaps-Changes-Count zGaps-QAAR-Count zGaps-SOD-Count zGaps-Other-Count zOutages-Count-Days zOutages-Hours z Processes-Supported- Count z BP-Risk-Average- Inherent z Materiality-I-Count z Materiality-G-Count z Materiality-S-Count z IT Tier

21 KLS Consulting LLC ITRA ADOS Risk Factors zOutsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-Major zApp Server OS-Vendor- Reputation zDB Server OS-Vendor- Reputation zApp Server OS-Version- Supported z DB Server OS-Version- Supported z Changes-Count z Failures-Count z Gaps-Security-Count z Gaps-Changes-Count z Gaps-QOSR-Count z Gaps-Other-Count z Production-Server-Count

22 KLS Consulting LLC ITRA DBMS Risk Factors zVendor-Reputation zVersion-Supported zChanges-Count zFailures-Count z Gaps-Security-Count z Gaps-Changes-Count z Gaps-QDBR-Count z Gaps-Other-Count

23 KLS Consulting LLC ITRA Model Walk-Through (cont)

24 KLS Consulting LLC ITRA Major Data Sources zIC Department yAPPL Lists yCMS Reports yAPPL Narratives yDetailed Assessment yITGC Documentation yGap Logs zEvaluator Judgment zInternet Research z IT Department yAPPL Lists yInfrastructure Lists yChange Records yOutage Reports yProblem Reports z Outsourcers ySAS 70 Reports yChange Records yProblem Reports

25 Q&A Kerry L. Shackelford 720-839-6359 Kerry@KLSConsultingLLC.com


Download ppt "Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter Meeting February 21, 2008."

Similar presentations


Ads by Google