Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bridging the gap between software developers and auditors.

Similar presentations

Presentation on theme: "Bridging the gap between software developers and auditors."— Presentation transcript:

1 Bridging the gap between software developers and auditors

2 Qualitative versus Quantitative Risk Assessment  It is impossible to conduct risk management that is purely quantitative.  Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgment or experience.  It is possible to accomplish purely qualitative risk management.

3 Qualitative risk assessment Med. riskHigh risk Low riskMed. riskHigh risk Low risk Med. risk Likelihood Impact

4 Quantitative risk assessment  ALE = ARO x SLE –SLE = AV x EF ALE = Annualized loss expectancy ARO = Annual rate of occurrence SLE = Single loss expectancy AV = Asset value EF = Exposure factor Is there something wrong with this approach?

5 Risks in software development  Buffer overflows  Authentication  Human intervention  Code reuse

6 What is STRIDE Microsoft’s approach to threat modeling Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of privilege

7 What is DREAD OWASP’s extension to STRIDE, providing some quantifiable measure for vulnerabilities Damage Potential Reproducibility Exploitability Affected users Discoverability All scored on the scale 0-10 DREAD = (D 1 + R + E + A + D 2 )/5

8 Risks in audit  Audit risk is a probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find  Composed of Inherent, Control, and Detection risks

9 Role of IT Controls  Modern financial reporting is driven by information technology  IT initiates, authorizes, records, and reports the effects of financial transactions. Financial reporting IC are inextricably integrated to IT.  COSO identifies two groups of IT controls: application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy general controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

10 Important types of IT controls  Input controls  Processing controls  Output Controls

11 What can a university do?  Teaching and training UConn started Advanced Business Certificate program in IT Audit Aligned with ISACA CISA coverage  Research UConn is now NSA Center of Excellence in Information Assurance Research

Download ppt "Bridging the gap between software developers and auditors."

Similar presentations

Ads by Google