IT Risks and Controls Revised on 2014. Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

Slides:



Advertisements
Similar presentations
An Internal Control Overview
Advertisements

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Concepts.
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Auditing Computer Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza
The Islamic University of Gaza
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control in a Financial Statement Audit
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
The Information Systems Audit Process
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Chapter 4 Internal Controls McGraw-Hill/Irwin
Information Technology Audit
Control and Accounting Information Systems
Central Piedmont Community College Internal Audit.
An Educational Computer Based Training Program CBTCBT.
Chapter 9: Introduction to Internal Control Systems
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Introduction to Internal Control Systems
Chapter Three IT Risks and Controls.
Internal controls. Session objectives Define Internal Controls To understand components of Internal Controls, control environment and types of controls.
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
Internal Control in a Financial Statement Audit
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Evaluation of Internal Control System
Business and Information Process Rules, Risks and Controls.
Information Security What is Information Security?
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Section Topics Risk and control terminology Risk elements
Chapter 9: Introduction to Internal Control Systems
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
S5: Internal controls. What is Internal Control Internal control is a process Internal control is a process Internal control is effected by people Internal.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Internal Control. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition A process...designed.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
8 INTERNAL CONTROL. Definition Duty  mgt (CEO)  Board  Internal auditor  Employee  External person.
Risk Management Dr. Clive Vlieland-Boddy. Managements Responsibilities Strategy – Hopefully sustainable! Control – Hopefully maximising profits! Risk.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Auditing Concepts.
Internal Control.
Chapter 4 Internal Controls McGraw-Hill/Irwin
IT Risks and Controls Revised on 2015.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

IT Risks and Controls Revised on 2014

Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls  Elements of internal controls  Categories of internal controls Risk  Risk management control  Types of risk  Risk IT framework by ISACA CISB424, Sulfeeza

Internal Control Any action taken by management to enhance the likehood that established objectives and goals will be achieved (Source: Cascarino, 2012) Objectives and goals of an organization can be divided into: a) Corporate objectives – the statement of corporate intent b) Management objectives – how the corporate objectives will be met CISB424, Sulfeeza

Internal Control Whose responsibility? Management is responsible to ensure that controls are properly planned, organized and directed a) Planning – establishing control objectives, goals and choosing the preferred method of utilizing resources b) Organizing – gathering the required resources and arranging them so that objectives may be attained c) Directing – authorizing, instructing and monitoring performance CISB424, Sulfeeza

Objectives of Internal Control 1. Reliability and integrity of information 2. Compliance with policies, plans, procedures, laws and regulations 3. Safeguarding assets 4. Effectiveness and efficiency of operations CISB424, Sulfeeza

Types of Internal Control 1. Preventive controls – Steps designed to keep errors or irregularities from occurring in the first place 2. Detective controls – steps designed to detect errors or irregularities that may have occurred 3. Corrective controls - steps designed to correct errors or irregularities that have been detected 4. Directive controls – steps designed to produce positive results and encourage acceptable behaviors 5. Compensating controls – a weakness in one control may be compensated by another control elsewhere (Source: Cascarino, 2012; CISB424, Sulfeeza

Elements of Internal Control Management must ensure the followings when designing internal controls: 1. Segregation of duties 2. Competence and integrity of people 3. Appropriate level of authority 4. Accountability 5. Adequate resources 6. Supervision and review (Source: Cascarino, 2012) CISB424, Sulfeeza

Limitations of Internal Control 1. Judgment - the effectiveness of controls will be limited by decisions made with human judgment under pressures to conduct business based on the information available at hand. 2. Breakdowns - even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems. 3. Management Override - high level personnel may be able to override prescribed policies or procedures for personal gains or advantages. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes. 4. Collusion - control system can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems. (Source: CISB424, Sulfeeza

Categories of IT controls Objectives of IT controls are related to the confidentiality, integrity, availability of data and the overall management of IT function in an organization IT controls can be categorized as: 1. IT general controls 2. IT application controls (Source: Wikipedia) CISB424, Sulfeeza

IT General Controls Helps to ensure the reliability of data generated by IT systems Areas included: 1. General IT controls 2. Computer operations 3. Physical security 4. Logical security 5. Program change control 6. Systems development (Source: Cascarion, 2012, Wikipedia) CISB424, Sulfeeza

IT Application Controls Helps to ensure the completeness and accuracy of data processing, from input to output Among the controls that can be implemented: 1. Completeness check 2. Validity check 3. Identification 4. Authentication 5. Authorization 6. Input controls 7. Forensic controls (Source: Wikipedia) CISB424, Sulfeeza

IT Application Controls 1. Completeness check – controls that ensure all records were processed from initiation to completion 2. Validity check – controls that ensure only valid data in input or processed 3. Identification - controls that ensure all users are uniquely and irrefutably identified 4. Authentication – controls that provide an authentication mechanism in the application system 5. Authorization – controls that ensure only approved business users have access to the application system 6. Input controls – controls that ensure data integrity fed from upstream sources into the application systems 7. Forensic controls – control that ensure data is scientifically and mathematically correct based on inputs and outputs (Source: Wikipedia) CISB424, Sulfeeza

Policies IT Standards Management and Organization Physical and Environmental Controls Systems Software Controls Systems Development Controls Application – based controls IT General and Application Controls Hierarchy Governance Management Technical CISB424, Sulfeeza

Risks A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action (Source: BusinessDictionary.com) CISB424, Sulfeeza

Risks So what are threat and vulnerabilities? Threat – A possible danger that might exploit a vulnerability to breach security and thus cause possible harm (Source: Wikipedia) Vulnerabilities - A weakness of an asset or group of assets that can be exploited by one or more threats (where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission) (Source: ISO) CISB424, Sulfeeza

Types of Risks 1. Business Risk – The possibility that a company will have lower than anticipated profits, or that it will experience a loss rather than a profit (Source: Investopedia) 2. Audit Risk a) Inherent Risk – The probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances (Source: BusinessDictionary.com) b) Control Risk – The likelihood that the control processes established to manage inherent risk are proved to be ineffective (Source: Cascariona, 2012) c) Residual Risk – The risk that significant business exposures have not been adequately addressed by the audit process (Source: Cascariona, 2012) 3. Continuity Risk – The possibility that a company will not be able to continue its operations due to weakness in control CISB424, Sulfeeza

IT Risks The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence (Source: ISO) CISB424, Sulfeeza

Categories of IT Risks 1. IT service delivery risk - associated with the performance and availability of IT services 2. IT solution delivery/benefit realization risk - associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs 3. IT benefit realization risk - associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or to use technology as an enabler for new business initiatives CISB424, Sulfeeza

Risk Management The process which aims to help organizations to understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure (Source: Institute of Risk Management) CISB424, Sulfeeza

Risk IT Framework CISB424, Sulfeeza

Domains of Risk IT Framework a) Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk- adjusted return. b) Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms. c) Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. CISB424, Sulfeeza

Domains of Risk IT Framework a) Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk- adjusted return. b) Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms. c) Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. CISB424, Sulfeeza

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.