Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter Three IT Risks and Controls.

Published byEugene Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter Three IT Risks and Controls."— Presentation transcript:

1 Chapter Three IT Risks and Controls

2 Lecture Outline Identifying IT Risks Assessing IT Risks
Identifying IT Controls Documenting IT Controls Monitoring IT Risks and Controls

3 Types of IT Risks What is risk? Business risk
Chances of negative outcomes Business risk Likelihood that an organization will not achieve its business goals and objectives Internal & external risk

4 Audit risk Likelihood that an organization’s external auditor makes a mistake when issuing an opinion attesting to the fairness of its financial statements or an IT auditor fails to uncover a material error of fraud.

5 inherent risk control risk detection risk
Likelihood of material errors or fraud inherent in the business environment. control risk Likelihood that the internal control system will not prevent or detect material errors or fraud on a timely basis. detection risk Likelihood that audit procedures will not detect material errors or fraud on a timely basis.

6 Security risk Continuity risk
Risks associated with data access and integrity. Physical or logical unauthorized access Negative outcomes Continuity risk Risks associated with an information system’s availability and backup and recovery.

7 Assessing IT Risk Threats and vulnerabilities
Identify threats or exposures Access vulnerabilities to threats or exposures Determine acceptable risk level The expected value of risk Risk indicators and risk measurement Identify IT processes and then develop a set of risk indicators Risk indicators would point to a need for control

8 Identifying IT Control
Once risks have been identified and accessed, specific controls need to be designed to control those risks. Most widely used internal control model COSO, Cadbury and CoCo

9 COSO (Committee of Sponsoring Organizations of the Treadway Commission)
COSO framework Consists of a definition of internal control and identification of 5 components Internal control is broadly defined as a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Coso(Internal Control-Integrated Framework)

10 COSO cont.. 5 components of Internal Control (IC) Control environment
Attitude of management toward internal control Risk assessment Enterprise risk framework: guidance in developing plans to identify, measure, evaluate and respond to risks. Control activities Internal control procedures and policies i.e., authorizations, approvals, passwords, and segregation of duties

11 COSO cont.. Information and communication Monitoring
Refer to the need for organizations to make sure they obtain and communicate the information needed to carry out management strategies and objectives Monitoring Continuous monitoring of internal control system by regular audits and evaluations

12 International IC Standards
Cadbury Stressed that internal control encompasses both financial and operational controls and the auditors should report both. CoCo (Canadian Criteria of Control Committee) Similar to COSO and Cadbury Group IC within 4 categories Purpose criteria that relate to an organization’s missions and objectives

13 International IC Standards cont..
Commitment criteria relate to ethics, policies, and corporate identity Capability criteria that relate to the competence of an organization Monitoring and learning criteria that concern an organization’s evolution Other country standards South Africa’s King Report France’s Vienot Report

14 Quality Control Standards
In addition to IC, improve public conference in products and processes by adopting quality control standards ISO 9000 series – certifies that organizations comply with documented quality standards Six Sigma – an approach to process and quality improvement

15 Statements on Auditing Standards
Issued by AICPA’s Accounting Standards Board SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Staetment Audit New standards related to risk assessment

16 ISACA’s CobiT Integrates IC with information and IT
Use by managers & business owners along with auditors and information users Three dimensions: information criteria, IT processes, and IT resources Organizations must ensure their information assets satisfy the requirements of quality, fiduciary, and security

17 ISACA’s CobiT cont… Domains: planning and organization, acquisition and implementation, delivery and support, and monitoring Each domain consists of processes CobiT identifies a control objectives for each processes New management guidelines (new addition)

18 Systems Reliability Assurance
American Institute of Certified Public Accountants (AICPA) + Canadian Institute of Chartered Accountants  SysTrust SysTrust Increase management, customer, supplier, and business partner confidence in the IT

19 Documenting It Controls
Internal control narratives Text describing controls over a particular risk Flowcharts – internal control flowchart Picture are easier to understand, follow and update IC questionnaires Ask questions about IC over various applications, processes, or risks Users or administrators would complete the questionnaires with yes or no answer

20 Monitoring IT Risks and Controls
CobiT identifies several control objectives associated with monitoring Monitoring the processes Accessing IC adequacy Obtaining independent assurance Providing independent audit Need for independent assurance and audit of IT controls

Download ppt "Chapter Three IT Risks and Controls."

Similar presentations

An Internal Control Overview

An Internal Control Overview
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.

Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Internal Control.

Internal Control.
Chapter 10 Section 404 Audits of Internal Control and Control Risk

Chapter 10 Section 404 Audits of Internal Control and Control Risk
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Chapter 5 Risk Assessment: Internal Control Evaluation

Chapter 5 Risk Assessment: Internal Control Evaluation
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 4 Internal Controls McGraw-Hill/Irwin

Chapter 4 Internal Controls McGraw-Hill/Irwin
An Educational Computer Based Training Program CBTCBT.

An Educational Computer Based Training Program CBTCBT.
Chapter 8 Introduction to Internal Control Systems

Chapter 8 Introduction to Internal Control Systems

Similar presentations

Ads by Google