Professional Documents
Culture Documents
, professor
claudiu.brandas@e-uvt.ro
▪ Cybersecurity and Information Systems Audit in Organizations [4 hours]
▪ Information Systems Risk and Control [4 hours]
▪ Information Systems Audit Process and Methodology [4 hours]
▪ PenTests [12 hours]
▪ Network and Operating Systems Audit [4 hours]
▪ ERP Systems Audit [4 hours]
▪ e-Business Systems Audit [4 hours]
▪ Mobile Systems Audit [4 hours]
▪ Artificial Intelligence in Information Systems Audit [2 hours]
10/25/2021
COMPUTER APPLICATIONS
(ERP, accounting programs,
sales management, payroll, etc.) FINANCIAL REPORTING
GENERATE
TRANSACTIONS
FINANCIAL/NON-FINANCIAL RISKS
Business
events/Documents
In recent years, the audit has moved from an control based
approach to an risks based approach.
https://www.domaintools.com/resources/blog/
covidlock-update-coronavirus-ransomware
https://www.domaintools.com/resources/blog/the-most-prolific-
ransomware-families-a-defenders-guide
https://www.kaspersky.com/blog/top5-ransomware-groups
▪ Trojans
▪ Emotet (2014)
▪ banking trojan
▪ Malware-As-a-Service
https://www.fortinet.com/blog/
threat-research/deep-analysis-
of-new-emotet-variant-part-1
https://threatresearch.ext.hp.com/emotet-
analysis-catch-me-if-you-can/
▪ Risk management can be defined as the process of
identifying vulnerabilities and threats within an
organization, as well as developing measures to
minimize their impact on the organization's information
resources.
▪ Principles of risk management (www.isaca.org)
RISKS AND CONTROLS ASSESSMENT MATRIX
RISK ASSESSMENT
Risk evaluation
Identification of IT controls
RISK MITIGATION
Implementation of controls
▪ Qualitative Methods.
▪ Quantitative Methods.
▪ Application 1 (qualitative method):
▪ The level of risk for unauthorized access to an IT application for personnel and salary records can be assessed as follows:
▪ Threat: unauthorized users (employees).
▪ Evaluation Matrix
▪ % Employees Score
▪ 10% from employees 1 (scazut)
▪ 10% - 50% 2 (mediu)
▪ Peste 50% 3 (ridicat)
▪ Vulnerabilities:
▪ Evaluation Matrix
▪ Vulnerability Score
▪ Application not password
▪ protected but the files are
▪ encrypted 1
▪ Files are unencrypted but
▪ application have password 2
▪ Files are unencrypted and
▪ application has no password 3
▪ Value or importance of the information resource:
▪ Evaluation Matrix
▪ Level Score
▪ Low 1
▪ Medium 2
▪ High 3
▪ Level of risk = 2 X 2 X 2 = 8
▪ Application 2 (quantitative method):
https://forms.gle/UuvEQubM59MKGRX47
▪ Audit Risk:
▪ Inherent Risk. It represents the probability that an error or fraud will occur
inherently due to the nature of the activity carried out in the enterprise.
▪ Control Risk. It represents the probability that an error or fraud will occur without
being detected or prevented by internal control.
▪ Detection Risk. It represents the probability that an auditor will not detect, through
the tests applied, an error within the audited control system.