Professional Documents
Culture Documents
ASI - IT Risk and Controls
ASI - IT Risk and Controls
1. IDENTIFY IT RISKS
Risks
Business risk
• Not achieving business goals and objectives
Audit risk
• External auditor making a mistake when issuing an opinion
Security risk
• Failing to maintain data access and integrity
Continuity risk
• Failing to maintain information system availability and backup and recovery
Business risk
“Business risk is the likelihood that an organization will not achieve
its business goals and objectives”
• Auditors should be familiar with enterprise’s strategic plan to identify
business risks
• Can result from external and internal factors
External Internal
• New competitor in market • Labor disputes
• Poor economy • Management fraud
2. ASSESS IT RISKS
Threats and Vulnerabilities
Approach to IT Risk Assessment
Identify Assess Determine
threats/exposures vulnerabilities to acceptable risk
threats/exposures levels and assess
Examples:
• Data confidentiality
the probability of
Examples:
• Data availability • Data confidentiality
vulnerabilities
• Data integrity • Remote access by
• Data timeliness Examples:
unauthorized peers
• Data accuracy • Chance of remote
• On-site access by
• IT infrastructure access by unauthorized
unauthorized
users is .05 percent
personnel
3. IDENTIFY IT CONTROLS
Control Standards
• Internal control models around the world
– US – Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
– UK – Cadbury Commission
– Canada – Canadian Criteria of Control Committee (CoCo)
• Quality
– ISO 9000 – Provides broad quality standards for products,
processes and management
– Six Sigma – Represents a standardized approach to process
improvement
Statements on Auditing Standards
• Issued by Auditing Standards Board (ASB) of the
American Institute of Certified Public Accountants
(AICPA)
• Provides guidelines for external auditors in conducting
the financial statement audit.
• Continuously revised and improved to conform to
standards and provide greater understanding of
enterprise and its environment, particularly in internal
control.
COBIT 5
COBIT 5 is a comprehensive framework that assist enterprise to achieve goals and deliver value through
the implementation of governance and IT management.
Governance
solutions into business process to achieve IT strategic
objectives.
Evaluate, Direct,
and Monitor (EDM)
DSS Submission of IT solutions to be used optimally by
end-user.
Direct Monitor
Management Feedback
Evaluate, Direct, Evaluate, Direct,
and Monitor (EDM) and Monitor (EDM)
Management
Plan Build Run Monitor
Align, Plan, and Build, Acquire, and Deliver, Service, Monitor, Evaluate,
Organise (APO) Implement (BAI) and Support (DSS) and Assess (MEA)
Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls
4. DOCUMENT IT CONTROLS
Documentation tools