1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.

Slides:



Advertisements
Similar presentations
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Advertisements

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Auditing Computer-Based Information Systems
Internal Control.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Auditing Computer-Based Information Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Accounting Information Systems 7e
1 Continuous Auditing Implications: Rethinking the Roles of Systems of Internal Controls Presented by Rob Nehmer Berry College at the Fifth Continuous.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Chapter 4 Internal Control Bus 319 Accounting Information Systems.
CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.
Auditing A Risk-Based Approach To Conducting A Quality Audit
Internal Control in a Financial Statement Audit
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS FL Jones and DV Rama.
Information Systems Controls for System Reliability -Information Security-
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 4 Internal Controls McGraw-Hill/Irwin
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
Chapter 9: Introduction to Internal Control Systems
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
Introduction to Internal Control Systems
Chapter Three IT Risks and Controls.
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
Audit Risk. "Audit risk" means the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated Audit.
Internal Control in a Financial Statement Audit
9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Chapter 7 Control and AIS. Threats to AIS Natural disasters –DSM flood (p. 249) Political disasters –Terrorism Cyber crime (as opposed to general terrorism)
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Evaluation of Internal Control System
Fundamentals I: Accounting Information Systems McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter 6 Internal Control in a Financial Statement Audit Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Chapter 9: Introduction to Internal Control Systems
Auditing Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies & Risk Assessment Chapter 9.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Deck 8 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
Chapter 3-Auditing Computer-based Information Systems.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
8 INTERNAL CONTROL. Definition Duty  mgt (CEO)  Board  Internal auditor  Employee  External person.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Errors, Fraud, Risk Management, and Internal Controls
Cash and Financial Investments
The Impact of Information Technology on the Audit Process
Defining Internal Control
The Impact of Information Technology on the Audit Process
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

1 Chapter Three IT Risks and Controls

2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor IT Risks and Controls

3 Types of IT Risks Business risk Business risk Audit risk = IR * CR * DR Audit risk = IR * CR * DR –inherent risk (IR) –control risk (CR) –detection risk (DR) Security risk Security risk Continuity risk Continuity risk

4 Assessing IT Risk Threats and vulnerabilities Threats and vulnerabilities Risk (residual risk) = +Expected value of risk ( Asset Value * Risk Likelihood ) –Percentage of risk mitigated by the current controls +Uncertainty of knowledge about the vulnerability Risk indicators and risk measurement Risk indicators and risk measurement –Risks relative to IT processes

5 Valuation of Asset Assets: People, Data, Hardware, Software, Facilities, (Procedures) Assets: People, Data, Hardware, Software, Facilities, (Procedures) Valuation Methods Valuation Methods –Criticallity to the organization’s success –Revenue generated –Profitability –Cost to replace –Cost to protect –Embarrassment/Liability

6 Internal Control (IC) COSO – 5 components of IC COSO – 5 components of IC –Control environment –Risk assessment –Control activities –Information and communication –Monitoring International IC Standards International IC Standards –Cadbury –CoCo –Other country standards

7 Quality Control Standards ISO 9000 series – certifies that organizations comply with documented quality standards ISO 9000 series – certifies that organizations comply with documented quality standards Six Sigma – an approach to process and quality improvement Six Sigma – an approach to process and quality improvement

8 Statements on Auditing Standards Issued by AICPA’s Accounting Standards Board Issued by AICPA’s Accounting Standards Board SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit New standards related to risk assessment New standards related to risk assessment

9 ISACA’s CobiT Integrates IC with information and IT Integrates IC with information and IT Three dimensions: information criteria, IT processes, and IT resources Three dimensions: information criteria, IT processes, and IT resources Requirements (information criteria) of quality, fiduciary, and security Requirements (information criteria) of quality, fiduciary, and security Organizes IT internal control into domains and processes Organizes IT internal control into domains and processes –Domains: planning and organization, acquisition and implementation, delivery and support, and monitoring –Processes detail steps in each domain

10 IT Control Domains and Processes

11 IT Controls COSO identifies two groups of IT controls: COSO identifies two groups of IT controls: –Application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy –General controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development A574 Internal Controls For Business

12 Segregation of Duties Transaction authorization is separate from transaction processing. Transaction authorization is separate from transaction processing. Asset custody is separate from record-keeping responsibilities. Asset custody is separate from record-keeping responsibilities. The tasks needed to process the transactions are subdivided so that fraud requires collusion. The tasks needed to process the transactions are subdivided so that fraud requires collusion. A574 Internal Controls For Business

13 Separation of Duties within IS

14 Classification of Controls Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data

15 Application Control Goals For business event inputs, ensure For business event inputs, ensure –Input validity –Input completeness –Input accuracy For master data, ensure For master data, ensure –Update completeness –Update accuracy

16 Application Control Goals Input validity Input validity –Input data approved and represent actual economic events and objects Input completeness Input completeness –Requires that all valid events or objects be captured and entered into the system Input Accuracy Input Accuracy –Requires that events be correctly captured and entered into the system

17 Systems Reliability Assurance SysTrust SysTrust WebTrust WebTrust New AICPA Trust Principles New AICPA Trust Principles

18 Documenting IT Controls Internal control narratives Internal control narratives Flowcharts – internal control flowchart Flowcharts – internal control flowchart IC questionnaires IC questionnaires

19 Risk Control Strategies Avoidance Avoidance –Policy, Training and Education, or Technology Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) Mitigation – reducing the impact through planning and preparation Mitigation – reducing the impact through planning and preparation Acceptance – doing nothing if the cost of protection does not justify the expense of the control Acceptance – doing nothing if the cost of protection does not justify the expense of the control

20 Monitoring IT Risks and Controls CobiT control objectives associated with monitoring and evaluation CobiT control objectives associated with monitoring and evaluation Need for independent assurance and audit of IT controls Need for independent assurance and audit of IT controls

21

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.