Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.

Published byHarold Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor."— Presentation transcript:

1 1 Chapter Three IT Risks and Controls

2 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor IT Risks and Controls

3 3 Types of IT Risks Business risk Business risk Audit risk = IR * CR * DR Audit risk = IR * CR * DR –inherent risk (IR) –control risk (CR) –detection risk (DR) Security risk Security risk Continuity risk Continuity risk

4 4 Assessing IT Risk Threats and vulnerabilities Threats and vulnerabilities Risk (residual risk) = +Expected value of risk ( Asset Value * Risk Likelihood ) –Percentage of risk mitigated by the current controls +Uncertainty of knowledge about the vulnerability Risk indicators and risk measurement Risk indicators and risk measurement –Risks relative to IT processes

5 5 Valuation of Asset Assets: People, Data, Hardware, Software, Facilities, (Procedures) Assets: People, Data, Hardware, Software, Facilities, (Procedures) Valuation Methods Valuation Methods –Criticallity to the organization’s success –Revenue generated –Profitability –Cost to replace –Cost to protect –Embarrassment/Liability

6 6 Internal Control (IC) COSO – 5 components of IC COSO – 5 components of IC –Control environment –Risk assessment –Control activities –Information and communication –Monitoring International IC Standards International IC Standards –Cadbury –CoCo –Other country standards

7 7 Quality Control Standards ISO 9000 series – certifies that organizations comply with documented quality standards ISO 9000 series – certifies that organizations comply with documented quality standards Six Sigma – an approach to process and quality improvement Six Sigma – an approach to process and quality improvement

8 8 Statements on Auditing Standards Issued by AICPA’s Accounting Standards Board Issued by AICPA’s Accounting Standards Board SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit New standards related to risk assessment New standards related to risk assessment

9 9 ISACA’s CobiT Integrates IC with information and IT Integrates IC with information and IT Three dimensions: information criteria, IT processes, and IT resources Three dimensions: information criteria, IT processes, and IT resources Requirements (information criteria) of quality, fiduciary, and security Requirements (information criteria) of quality, fiduciary, and security Organizes IT internal control into domains and processes Organizes IT internal control into domains and processes –Domains: planning and organization, acquisition and implementation, delivery and support, and monitoring –Processes detail steps in each domain

10 10 IT Control Domains and Processes

11 11 IT Controls COSO identifies two groups of IT controls: COSO identifies two groups of IT controls: –Application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy –General controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development A574 Internal Controls For Business

12 12 Segregation of Duties Transaction authorization is separate from transaction processing. Transaction authorization is separate from transaction processing. Asset custody is separate from record-keeping responsibilities. Asset custody is separate from record-keeping responsibilities. The tasks needed to process the transactions are subdivided so that fraud requires collusion. The tasks needed to process the transactions are subdivided so that fraud requires collusion. A574 Internal Controls For Business

13 13 Separation of Duties within IS

14 14 Classification of Controls Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data

15 15 Application Control Goals For business event inputs, ensure For business event inputs, ensure –Input validity –Input completeness –Input accuracy For master data, ensure For master data, ensure –Update completeness –Update accuracy

16 16 Application Control Goals Input validity Input validity –Input data approved and represent actual economic events and objects Input completeness Input completeness –Requires that all valid events or objects be captured and entered into the system Input Accuracy Input Accuracy –Requires that events be correctly captured and entered into the system

17 17 Systems Reliability Assurance SysTrust SysTrust WebTrust WebTrust New AICPA Trust Principles New AICPA Trust Principles

18 18 Documenting IT Controls Internal control narratives Internal control narratives Flowcharts – internal control flowchart Flowcharts – internal control flowchart IC questionnaires IC questionnaires

19 19 Risk Control Strategies Avoidance Avoidance –Policy, Training and Education, or Technology Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) Mitigation – reducing the impact through planning and preparation Mitigation – reducing the impact through planning and preparation Acceptance – doing nothing if the cost of protection does not justify the expense of the control Acceptance – doing nothing if the cost of protection does not justify the expense of the control

20 20 Monitoring IT Risks and Controls CobiT control objectives associated with monitoring and evaluation CobiT control objectives associated with monitoring and evaluation Need for independent assurance and audit of IT controls Need for independent assurance and audit of IT controls

21 21

Download ppt "1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor."

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Internal Control.

Internal Control.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Accounting Information Systems 7e

Accounting Information Systems 7e
1 Continuous Auditing Implications: Rethinking the Roles of Systems of Internal Controls Presented by Rob Nehmer Berry College at the Fifth Continuous.

1 Continuous Auditing Implications: Rethinking the Roles of Systems of Internal Controls Presented by Rob Nehmer Berry College at the Fifth Continuous.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Chapter 4 Internal Control Bus 319 Accounting Information Systems.

Chapter 4 Internal Control Bus 319 Accounting Information Systems.
CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004

CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.

Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.

Similar presentations

Ads by Google