CH.

1 :IT impacts on IC and Audit / IT Governance

Impacts of IT
1.Complexity of controls
2.Increase reliance on system
3.Introduce new risks
4.Lack of technical personnel

Impacts on IC and audit

1. Transaction trails
2.Uniform processing of trans.
3.Segregation of funct.
4.Potential for errors and frauds
5.Potential for increase management supervision
6.Initiation/subsequent execution of trans. by com.
7.Dependence of other controls

The reason why the company wants to implement the IT

-Increase productivity
-Providing of new services
-Competitive advantage
-Better decision making
-Improve company image (indirect impact)

RISK : anything that may impact the ability to achieve an organization's objectives.
-Acceptable risk(Risk appetite)
-Inherent risk
-Residual risk

RISK MANAGEMENT : manage risks to be within its risk appetite to provide reasonable
assurance.

Risk management process

1.Understand objectives -IT objectives could be used as a basis
2.Identify risks -People,Process,Tech.
3.Assess risks -Likelihood of occurrence and Impact to objective would be assess
4.Response to risks -Risk response should be use when the residual risk exceeded
5.Monitoring -Ensure that risk and response are align at all time

IT risk management
1.)IT objectives grouping
1.Effective
2.Efficiency
3.Confidentiality
4.Availability
5.Intrgrity
6.Reliability
7.Compliance
2.)Risk identification - Brainstorming
-People,process and tech.
-Internal and external
-Hazard,uncertainty and opportunity
-Root cause

3.)Risk assessment

Business Impacts (ผลกระทบ) Likelihood (ค.น่าจะเป็ น)

-Financial Impacts -Nature of business

-Damage to reputation -Organisation structure and culture
-Interruption to business operations -Nature of the system
-Loss of valuable assets -Nature of trans.
-Delay in decision making -Volme

Level of Impacts (highest to lowest) Level of likelihood

-Threaten business survival -Very likely
-Major damage -Likely
-Tolerable -Possible
-Minor damage -Unlikely
-Insignificant damage -Impossible

4.) Risk response

COSO Framework Key

1.Accepting Take
2.Reducing Treat
3.Avoiding Terminate
4.Sharing Transfer
*Using COBIT can be used as a guideline of risk treatment*

5.Monitoring

-Risk matrix/Register
Objectives
-Risk factors
-Risk rating
-Current controls
-Acceptable risk rating
-Control improvement

-Risk map : The template that management uses in monitoring the overall risk management.
IT Governance:The relationships are between management and the governing body.
The governing process:
-Setting objectives
-Giving direction
-Measuring performance

There are two responsibilities that IT governance are concerned

1.Deliver value
2.IT related risks must be mitigated
CH.3 : IT Controls
Components of IT Controls

The impacts of the Control environment

Effective = IT control may tentatively be effective
Not Effective = IT control may not be effective

1.IT control environment

-Policies and procedures
-Usage policy
-Security policy
-System development policy
-System development and change procedures
-Security administration procedure
-IT operation procedure and manual
-Organization structures
-Roles and responsibilities
-Owner of the application system
-Owner of the data/info.
-Segregation of IT functions
-IT vs User
-Within IT
-HR management
-Tone at the top
-Culture/Ethics/Code of conduct

2.IT general control: foundation to overall control

-Responsible by IT management
-Cobit is a good collection of all ITGC

3.IT application control:

-Access to app. functions
-Input controls
-Processing controls
-Output controls

CH.5: System development

Risks and controls
-The highest risk is the system does not achieve business objective
-Management needs to know that they are building the product right and the right product or
not.

Associated risks
-Developed system not in line with objectives
-Development project may be delayed
-Development project use resource inefficiently
-Computer programs not work correctly
Controls
System development methodology
1.Traditional method(old method) - waterfall
Type of system development
-Custom development
-Purchase commercial s/w
-Considerations
-Implementation time
-Cost
-Reliability
-Dependence
-Customisation
-Maintenance

Systems development life cycle

1.Initiation -Make sure that everyone understands the

-prepare the team objectives.

-Organizational structure and reporting

mechanism are properly defined

2.Analysis -What we want the system to be

-gathering all the requirement
-Controls built into the system

-Recheck the requirement

3.Design -Design incorporates business,control,and

-the design must aline with the requirement audit requirements

4.Construction -New system is tested

-Unit test(Programmer)
-System test(System analysts) -All requirements are tested
-User acceptance test(Users)
-Stress test(Performance test)

5.Implementation -Critical operational controls have been

implemented

-User approval

-System is migrated

-Data should be properly converted from

the old to the new system

-Performs as designed

-Requirements are satisfied

System documentation
1.System manual : maintained the system
2.Operation manual : how to do the backup
3.User manual : tell how the user can use the system
4.User procedural : how user should work with the system

System implementation
1.Direct cutover
2.Parallel implementation : old system run along with the new system
3.Pilot implementation : use the new one to make sure that it work after left the old system
4.Phase(module) implementation

2.Agile method-it bring the system to live quicker

4 principles
1.Individuals and interactions over processes and tools
2.Working s/w over comprehensive doc.
3.Customer collaboration over contract negotiation
4.Responding to change over following a plan

Key terminologies
Scrum - framework used to develop complex products
Sprints - time-boxed periods

Key players
Product owner - prioritize and adjust what features will be in the product release
Scrum master - main facilitator for the project’s development team
Scrum team - responsible for executing the work