Vasile - Claudiu Brandas, dr.

, professor
claudiu.brandas@e-uvt.ro
▪ Cybersecurity and Information Systems Audit in Organizations [4 hours]
▪ Information Systems Risk and Control [4 hours]
▪ Information Systems Audit Process and Methodology [4 hours]
▪ PenTests [12 hours]
▪ Network and Operating Systems Audit [4 hours]
▪ ERP Systems Audit [4 hours]
▪ e-Business Systems Audit [4 hours]
▪ Mobile Systems Audit [4 hours]
▪ Artificial Intelligence in Information Systems Audit [2 hours]
10/25/2021
COMPUTER APPLICATIONS
(ERP, accounting programs,
sales management, payroll, etc.) FINANCIAL REPORTING

GENERATE

TRANSACTIONS
FINANCIAL/NON-FINANCIAL RISKS

Business
events/Documents
 In recent years, the audit has moved from an control based
approach to an risks based approach.

 The RISK within the information system represents the

probability of a loss that would negatively affect the
information resources and the functionality of the system.
▪ The risk is defined by the following elements:
▪ Vulnerability, Threats or Risk Factors
▪ Impact
▪ Probability

▪ RISK = Probability X Impact [ISACA]

▪ RISK = Vulnerabilities X Threats X Probability X Impact

▪ Vulnerability of Information
System:
▪ It represents a weak point in the
system that can be exploited by a risk
factor (threat) to cause damage to the
system.
▪ Weak passwords
▪ Lack of antivirus
▪ Miscalculations
▪ Wrong data validations

▪ It is mostly internal to the

organization
https://info.edgesca
n.com/vulnerability-
stats-report-2021
https://www.bulletproof.co.uk/industry-
reports/bulletproof-annual-cyber-security-report-2021
 ▪ Threats or risk factors:

▪ Natural disasters (earthquakes, fires,

floods, pandemics, etc.)
▪ Humans
▪ Internal (fraud, errors)
▪ External (hackers)

▪ Technical (hardware errors, software

errors)

▪ Malware (viruses, worms,

ransomware, trojans, spyware,
addware, rootkits )
https://threats.kaspersky.com/en/threat/?view=hierarchy
▪ Impact

▪ Qualitative evaluation (how significant is the impact: 1-

low; 2-medium; 3-high)

▪ Quantitative assessment (how much the loss due to

exposure to threats costs in money)
▪ Probability
▪ How likely is the threat to occur or have an effect?
▪ Qualitative evaluation:
▪ 1-low
▪ 2-medium
▪ 3-high
▪ Ransomware
▪ CovidLock (2020)

https://www.domaintools.com/resources/blog/
covidlock-update-coronavirus-ransomware

https://www.domaintools.com/resources/blog/the-most-prolific-
ransomware-families-a-defenders-guide

https://www.kaspersky.com/blog/top5-ransomware-groups
▪ Trojans

▪ Emotet (2014)
▪ banking trojan
▪ Malware-As-a-Service

https://www.fortinet.com/blog/
threat-research/deep-analysis-
of-new-emotet-variant-part-1

https://threatresearch.ext.hp.com/emotet-
analysis-catch-me-if-you-can/
▪ Risk management can be defined as the process of
identifying vulnerabilities and threats within an
organization, as well as developing measures to
minimize their impact on the organization's information
resources.
▪ Principles of risk management (www.isaca.org)
RISKS AND CONTROLS ASSESSMENT MATRIX

PROBABILITY-IMPACT VALUES MATRIX

 Identification of IT risks

RISK ASSESSMENT

Risk evaluation

Identification of IT controls

RISK MITIGATION

Implementation of controls

RISK RE-EVALUATION Risk re-evaluation

▪Identifying risks:
▪ Checklists (questionnaires).
▪ Interviews.
▪ Specialized worksheets.
▪ Specialized computer applications.
▪ Risk assessment methods:

▪ Qualitative Methods.

▪ Quantitative Methods.
▪ Application 1 (qualitative method):
▪ The level of risk for unauthorized access to an IT application for personnel and salary records can be assessed as follows:
▪ Threat: unauthorized users (employees).
▪ Evaluation Matrix
▪ % Employees Score
▪ 10% from employees 1 (scazut)
▪ 10% - 50% 2 (mediu)
▪ Peste 50% 3 (ridicat)
▪ Vulnerabilities:
▪ Evaluation Matrix
▪ Vulnerability Score
▪ Application not password
▪ protected but the files are
▪ encrypted 1
▪ Files are unencrypted but
▪ application have password 2
▪ Files are unencrypted and
▪ application has no password 3
▪ Value or importance of the information resource:
▪ Evaluation Matrix
▪ Level Score
▪ Low 1
▪ Medium 2
▪ High 3

▪ Level of risk = 2 X 2 X 2 = 8
▪ Application 2 (quantitative method):

▪ During the audit of an IT application for the management of goods

existing on a server connected to the Internet, it was determined that in
the last year there were 3 attacks resulting in the theft of data and 2
viruses that led to the deletion of some files from the database. It was
also found that after each attack the sales volume decreased by 5% from
the average sales volume of the last year, and after each virus infection
€1,000 was spent on data recovery. The average sales volume of the last
year being EUR 500,000, the value of the annual loss due to exposure to
the two risk factors is:

▪ Value of the annual loss = 3 X 500.000 X 5% + 2 X 1.000 = 77.000 EUR

▪ QUIZ#1

https://forms.gle/UuvEQubM59MKGRX47
▪ Audit Risk:

▪ Inherent Risk. It represents the probability that an error or fraud will occur
inherently due to the nature of the activity carried out in the enterprise.

▪ Control Risk. It represents the probability that an error or fraud will occur without
being detected or prevented by internal control.

▪ Detection Risk. It represents the probability that an auditor will not detect, through
the tests applied, an error within the audited control system.

Audit Risk = Inherent Risk × Control Risk × Detection Risk

▪ Information System Risk. It represents the probability of errors
or fraud due to inappropriate use of the information system.
The risk of the information system includes:

▪ Risks at the level of applications and operations in the

IT system.

▪ The risk of continuing the activity of the IT system.

▪ Risks at the level of applications and operations in the IT
system:
▪ unauthorized access to system;
▪ entering inappropriate or false data;
▪ incomplete data processing;
▪ doubling of transaction;
▪ late processing of data;
▪ malfunction of data transmission;
▪ inadequate or non-existent segregation of functions and responsibilities;
▪ analysis and faulty design of applications;
▪ incompatibility between computer applications;
▪ infecting applications with viruses;
▪ inadequate user training;
▪ inadequate support and maintenance of applications.
▪ The risk of continuing the activity of the IT system:

▪ System availability risk - represents the probability that the

system will become unavailable to users due to its security (for
example DoS attack by hackers).

▪ The risk of system recovery - represents the probability that

data and system operations can no longer be recovered in
order to continue the company's activity (for example, the lack
of backups and procedures for recovery and continuation of
the activity lead to an increase in the level of this risk).
 RISK ASSESSMENT IN THE INFORMATION SYSTEM

▪ In order to identify and evaluate the risks, in general, the

following steps are taken:
▪ identification of risk factors;
▪ the ranking of risk factors according to their importance for the
audited system;
▪ determining the frequency and duration of occurrence of each risk
factor;
▪ quantifying and assessing the level of risk;
▪ scheduling the audit and allocating audit resources corresponding
to the established risk level.
▪ ISACA - Risk IT
▪ https://www.isaca.org/resources/it-risk
▪ https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko9VEAS

▪ NIST - Risk Management Guide for Information Technology Systems

▪ https://csrc.nist.gov/publications/sp500

▪ MEHARI (Me´thode Harmonise´e d’Analyse de Risques—Harmonised Risk

Analysis Method)
▪ https://www.enisa.europa.eu/topics/threat-risk-management/risk-
management/current-risk/risk-management-inventory/rm-ra-
methods/m_mehari.html
▪ is designed to assist in developing, implementing or
enhancing the practice of risk management by:
(www.isaca.org)
▪ Connecting the business context with the specific I&T assets

▪ Shifting the focus to activities over which the enterprise has

significant control, such as actively directing and managing risk,
while minimizing the focus on the conditions over which an
enterprise has little control (threat actors)

▪ Increasing the focus on using a common risk language that correctly

labels the items that have to be managed well to create value
▪ The Risk IT framework explains I&T-related risk and enables
users to: (www.isaca.org)

▪ Identify I&T-related risk that exceeds narrow technical judgment and

thus requires holistic, enterprise-level consideration

▪ Integrate the management of I&T-related risk into overall ERM

processes

▪ Evaluate I&T risk and response in the context of overall enterprise

risk tolerance
▪ Scope of I&T-related Risk Relative to Other Major Categories of Risk (www.isaca.org)
Complete a Risk Matrix for a Sales Process