Information System Audit

IT Risk and Control

Risk management
• Risk is the chance of negative outcomes.
• “No risk, no reward.”
• Risk needs to be balanced.

Thus, business needs to manage risks continuously.

Identify Assess Identify Document

IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

Figure 1 – The Risk Management Process

 Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

1. IDENTIFY IT RISKS
Risks

Business risk
• Not achieving business goals and objectives

Audit risk
• External auditor making a mistake when issuing an opinion

Security risk
• Failing to maintain data access and integrity

Continuity risk
• Failing to maintain information system availability and backup and recovery
Business risk
“Business risk is the likelihood that an organization will not achieve
its business goals and objectives”
• Auditors should be familiar with enterprise’s strategic plan to identify
business risks
• Can result from external and internal factors
External Internal
• New competitor in market • Labor disputes
• Poor economy • Management fraud

• IT holds a significant part in organization, increasing business risk

– Large investment in IT
– IT timing risk is prevalent, especially in new software/hardware procurement
Audit risk
“Audit risk is the likelihood that an organization’s external auditor
makes a mistake when issuing an opinion attesting to the fairness of
its financial statements, or that an IT auditor fails to uncover a
material error or fraud”

Inherent Control Risk Detection

Risk (CR) Risk
(IR) (DR)
Likelihood that
Audit Risk Likelihood of the internal Likelihood that
(AR) material errors control system audit procedures
or fraud inherent will not prevent will not detect
in the business or detect material errors
environment. material errors or fraud on a
or fraud on a timely basis
timely basis.
Security risk and Continuity risk

Security risk Continuity risk

“Risks associated with data “Risks associated with an
access and integrity” information system’s availability
and backup and recovery”
 Can be physical or logical
 Possible risk:  Possible risk:
 Lack of data integrity  Hacker attack
 Poor decision making  Loss of consumer trust
 Breach of privacy and  Loss of profit
confidentiality  Loss of financial and
 Increase business risk critical data
 Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

2. ASSESS IT RISKS
Threats and Vulnerabilities
Approach to IT Risk Assessment
Identify Assess Determine
threats/exposures vulnerabilities to acceptable risk
threats/exposures levels and assess
Examples:
• Data confidentiality
the probability of
Examples:
• Data availability • Data confidentiality
vulnerabilities
• Data integrity • Remote access by
• Data timeliness Examples:
unauthorized peers
• Data accuracy • Chance of remote
• On-site access by
• IT infrastructure access by unauthorized
unauthorized
users is .05 percent
personnel

Calculating value of risk

Expected Estimated loss from

% likelihood of loss
value of risk specified risk
Risk Indicators and Risk Measurements

Another approach to IT Risk Assessment

Identify IT processes Develop a set of risk Risk indicator points
indicators for the to a need for
identified IT controls
Examples: processes
Acquiring of software Examples: Examples:
applications Failure to map software (at this stage the
acquisitions to strategic organization has noted the
plan presence of risk, and can
choose to control them or
not)
Recommendations:
• Usage of weighted approach
 Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

3. IDENTIFY IT CONTROLS
Control Standards
• Internal control models around the world
– US – Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
– UK – Cadbury Commission
– Canada – Canadian Criteria of Control Committee (CoCo)

• Quality
– ISO 9000 – Provides broad quality standards for products,
processes and management
– Six Sigma – Represents a standardized approach to process
improvement
Statements on Auditing Standards
• Issued by Auditing Standards Board (ASB) of the
American Institute of Certified Public Accountants
(AICPA)
• Provides guidelines for external auditors in conducting
the financial statement audit.
• Continuously revised and improved to conform to
standards and provide greater understanding of
enterprise and its environment, particularly in internal
control.
 COBIT 5
COBIT 5 is a comprehensive framework that assist enterprise to achieve goals and deliver value through
the implementation of governance and IT management.

EDM Activities aimed at evaluating strategic options, and

providing direction to IT and monitoring the outcomes.
Business Needs
Legend

APO Identify strategy to find the best way IT can contribute

to the achievement of the business objective.

BAI Identify, develop/procure, implement, and integrate IT

Evaluate

Governance
solutions into business process to achieve IT strategic
objectives.
Evaluate, Direct,
and Monitor (EDM)
DSS Submission of IT solutions to be used optimally by
end-user.

MEA Monitoring of the entire process to ensure compliance

with all the given directions.

Direct Monitor
Management Feedback
Evaluate, Direct, Evaluate, Direct,
and Monitor (EDM) and Monitor (EDM)

Management
Plan Build Run Monitor
Align, Plan, and Build, Acquire, and Deliver, Service, Monitor, Evaluate,
Organise (APO) Implement (BAI) and Support (DSS) and Assess (MEA)
 Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

4. DOCUMENT IT CONTROLS
Documentation tools

Narratives Flowcharts Questionnaire

s
Should describe the Should designed with a Should be utilized to
origin and disposition of standard in mind, cover all aspects in risk
documents, list providing a similar level evaluation, can be
processing steps, of detail, and use compared among
describe internal designs that can be several individuals and
controls such as easily digested. can also help in
approvals. constructing narrative or
flowchart.
 Identify Assess Identify Document
IT Risks IT Risks IT Controls IT Controls

Monitor IT Risks and Controls

5. MONITOR IT RISKS AND CONTROLS

Continuous monitoring
• Risk management requires constant attention, thus results in its
continuous nature.
• COBIT control objectives on monitoring:
– Monitoring the process
– Assessing internal control adequacy
– Obtaining independent assurance
– Providing for an independent audit
• Performance measurement systems and benchmarking should be
utilized
• Pervasive nature of IT mandates that auditors evaluate an IT
relative to business, audit, security and continuity risks.
Summary
• Types of IT risks
• Approaches in assessing risk
• The need for organizations to understand IT risks
• IT auditors may document existing internal controls,
utilize tools
• IT Risk Management Process is never ending. Changes
in technologies and/or business processes may create
new threats. As a result, it is important to constantly
monitor IT risks and controls