Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Risks and Controls Revised on 2014. Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

Published byArthur Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Risks and Controls Revised on 2014. Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls."— Presentation transcript:

1 IT Risks and Controls Revised on 2014

2 Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls  Elements of internal controls  Categories of internal controls Risk  Risk management control  Types of risk  Risk IT framework by ISACA CISB424, Sulfeeza

3 Internal Control Any action taken by management to enhance the likehood that established objectives and goals will be achieved (Source: Cascarino, 2012) Objectives and goals of an organization can be divided into: a) Corporate objectives – the statement of corporate intent b) Management objectives – how the corporate objectives will be met CISB424, Sulfeeza

4 Internal Control Whose responsibility? Management is responsible to ensure that controls are properly planned, organized and directed a) Planning – establishing control objectives, goals and choosing the preferred method of utilizing resources b) Organizing – gathering the required resources and arranging them so that objectives may be attained c) Directing – authorizing, instructing and monitoring performance CISB424, Sulfeeza

5 Objectives of Internal Control 1. Reliability and integrity of information 2. Compliance with policies, plans, procedures, laws and regulations 3. Safeguarding assets 4. Effectiveness and efficiency of operations CISB424, Sulfeeza

6 Types of Internal Control 1. Preventive controls – Steps designed to keep errors or irregularities from occurring in the first place 2. Detective controls – steps designed to detect errors or irregularities that may have occurred 3. Corrective controls - steps designed to correct errors or irregularities that have been detected 4. Directive controls – steps designed to produce positive results and encourage acceptable behaviors 5. Compensating controls – a weakness in one control may be compensated by another control elsewhere (Source: Cascarino, 2012; https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf) CISB424, Sulfeeza

7 Elements of Internal Control Management must ensure the followings when designing internal controls: 1. Segregation of duties 2. Competence and integrity of people 3. Appropriate level of authority 4. Accountability 5. Adequate resources 6. Supervision and review (Source: Cascarino, 2012) CISB424, Sulfeeza

8 Limitations of Internal Control 1. Judgment - the effectiveness of controls will be limited by decisions made with human judgment under pressures to conduct business based on the information available at hand. 2. Breakdowns - even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems. 3. Management Override - high level personnel may be able to override prescribed policies or procedures for personal gains or advantages. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes. 4. Collusion - control system can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems. (Source: https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf) CISB424, Sulfeeza

9 Categories of IT controls Objectives of IT controls are related to the confidentiality, integrity, availability of data and the overall management of IT function in an organization IT controls can be categorized as: 1. IT general controls 2. IT application controls (Source: Wikipedia) CISB424, Sulfeeza

10 IT General Controls Helps to ensure the reliability of data generated by IT systems Areas included: 1. General IT controls 2. Computer operations 3. Physical security 4. Logical security 5. Program change control 6. Systems development (Source: Cascarion, 2012, Wikipedia) CISB424, Sulfeeza

11 IT Application Controls Helps to ensure the completeness and accuracy of data processing, from input to output Among the controls that can be implemented: 1. Completeness check 2. Validity check 3. Identification 4. Authentication 5. Authorization 6. Input controls 7. Forensic controls (Source: Wikipedia) CISB424, Sulfeeza

12 IT Application Controls 1. Completeness check – controls that ensure all records were processed from initiation to completion 2. Validity check – controls that ensure only valid data in input or processed 3. Identification - controls that ensure all users are uniquely and irrefutably identified 4. Authentication – controls that provide an authentication mechanism in the application system 5. Authorization – controls that ensure only approved business users have access to the application system 6. Input controls – controls that ensure data integrity fed from upstream sources into the application systems 7. Forensic controls – control that ensure data is scientifically and mathematically correct based on inputs and outputs (Source: Wikipedia) CISB424, Sulfeeza

13 Policies IT Standards Management and Organization Physical and Environmental Controls Systems Software Controls Systems Development Controls Application – based controls IT General and Application Controls Hierarchy Governance Management Technical CISB424, Sulfeeza

14 Risks A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action (Source: BusinessDictionary.com) CISB424, Sulfeeza

15 Risks So what are threat and vulnerabilities? Threat – A possible danger that might exploit a vulnerability to breach security and thus cause possible harm (Source: Wikipedia) Vulnerabilities - A weakness of an asset or group of assets that can be exploited by one or more threats (where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission) (Source: ISO) CISB424, Sulfeeza

16 Types of Risks 1. Business Risk – The possibility that a company will have lower than anticipated profits, or that it will experience a loss rather than a profit (Source: Investopedia) 2. Audit Risk a) Inherent Risk – The probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances (Source: BusinessDictionary.com) b) Control Risk – The likelihood that the control processes established to manage inherent risk are proved to be ineffective (Source: Cascariona, 2012) c) Residual Risk – The risk that significant business exposures have not been adequately addressed by the audit process (Source: Cascariona, 2012) 3. Continuity Risk – The possibility that a company will not be able to continue its operations due to weakness in control CISB424, Sulfeeza

17 IT Risks The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence (Source: ISO) CISB424, Sulfeeza

18 Categories of IT Risks 1. IT service delivery risk - associated with the performance and availability of IT services 2. IT solution delivery/benefit realization risk - associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs 3. IT benefit realization risk - associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or to use technology as an enabler for new business initiatives CISB424, Sulfeeza

19 Risk Management The process which aims to help organizations to understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure (Source: Institute of Risk Management) CISB424, Sulfeeza

20 Risk IT Framework CISB424, Sulfeeza

21 Domains of Risk IT Framework a) Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk- adjusted return. b) Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms. c) Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. CISB424, Sulfeeza

22 Domains of Risk IT Framework a) Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk- adjusted return. b) Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms. c) Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. CISB424, Sulfeeza

Download ppt "IT Risks and Controls Revised on 2014. Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls."

Similar presentations

An Internal Control Overview

An Internal Control Overview
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Concepts.

Auditing Concepts.
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Auditing Computer Systems

Auditing Computer Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
The Islamic University of Gaza

The Islamic University of Gaza
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit

Similar presentations

Ads by Google