IT Risk, Control &

Audit

1

Computer Environment

Aud

it t

he G

ener

al C

ontr

ols

Audit the A

pplication Controls

Using Tools to Audit the Information

Computer Center Application

Application

DataFiles

DataFiles

2

Values and Challenges

• Increase Productivity• Providing of New Services• Competitive Advantage• Better Decision Making• Improve Company Image

• Complexity of Controls• Increase Reliance on System• Increase Risks• Lack of Technical Personnel

3

Impacts of IT on Internal Control & Audit

• Transaction Trails• Uniform processing of transactions• Segregation of functions• Potential for errors and frauds• Potential for increase management

supervision• Initiation or subsequent execution of

transactions by computers• Dependence of other controls

4

5

Risks

Definitions

Risk is anything that may have an impact on organisation’s ability to achieve its objectives.

6

Risk Management Process

UnderstandObjectives

IdentifyRisks

AssessRisks

ResponseTo Risks

Monitoring

All steps would be monitored to ensure that risk and response are align at all time

LIKELIHOOD of occurrence and IMPACT to objective would be assess at both INHERENT and RESIDUALlevel.

Anything that can affect ability to achieve above objectives.

People, Process and Technology

IT objectives should be define in such a way that inline with business objectives. 7 IT objectives could be used as a basis.

If RESIDUAL risk is still exceed ACCEPTABLE risk, additional risk response should be implemented.

7

IT Objectives

8

IT Identification

2. Risk IdentificationPeople, Process & Technology

Internal & External

Hazard, Uncertainty & Opportunity

Root Cause

• Poor management (planning & policy)

• System (H/W & Technology

• Skills of IT and non-IT

• Processing management (design & executions)

• Security management (policy & procedure)

• System (H/W & Technology & network)

• User awareness

• Hackers, Viruses

• System & network design

• Hardware fails

• External sabotage

• Viruses & Attack

• No BCP, backup & recovery

• System design (input, process & output)

• Hackers & Unauthorised access

• Poor authority granting procedures

• Unaware or not understand rules and regulations

• No monitoring

9

Risk Definition

Acceptable Risk (Risk Appetite)Inherent RiskResidual Risk

10

Risk Response

1. Accepting2. Reducing3. Avoiding4. Sharing

(Take)(Treat)(Terminate)(Transfer)

Using CobiT can be used as a guideline of risk treatment

11

Risk MatrixObjectives• Risk Factors• Risk Rating (Likelihood / Impact)• Current Controls• Acceptable Risk Rating• Control Improvement

Risk Factors Rating Current Controls Rating Control Improvements

L I L I

12

Risk Map

G2

G3

A1

A2

A4

L1

J1C2

E1

C4

C1 H3

G5A5

A7B1

K1B5

C3

F1

E2

I3

I2Likelihood

Impact

5

4

3

2

1

1 2 3 4 5 13

14

22/11/07Page 15

IT Governance – The definition

“A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

The relationships are between management and its governing body.

The processes cover:-- setting objectives-- giving direction on how to attain them-- measuring performance

Resource Management

IT Governance components

IT Governance focus on

• IT Value Delivery

•Managing Risks

Page 16

Critical mission for IT & Business Alignment

• Ensure that board members and other senior managers are continuously educated in IT.

• Ensure that IT leadership and key IT managers are given resources (especially time) to help them fully understand the business, its industry and its markets.

• Ensure that IT is a regular item on the board agenda, not just annually as part of the budgeting process.

• Embed the IT planning (three years of plan and budget) process into the enterprise strategic planning process.

• Establish an appropriate IT-related committee structures

Page 17

IT Value Delivery

• What are the values that IT will deliver to an organisation

• Increasing in productivity• Providing new services• Competitive advantages• Better image

• How the values will be delivered.• In line with business requirements• Flexible for future needs• Ease of use, durable and safe

Page 18

Risk Management

• Establish IT risk assessment process• Continuously assess IT risks• Define clear roles and responsibilities• Regular report on risks• Embedded risk management in IT

processes

Page 19

22/11/07Page 20

Performance Measurement

Page 21

Overview

Page 22

Product Family

Page 23

COBIT 5 is base on 5 principlesCustomized benefits realization & optimize risks(Goals cascade)

All functions and processes (not only IT)

Align with other standards & Frameworks

(at high level)

Taken into account several interacting components (7 enablers)

Clear Distinction between Governance & management

Page 24

Principle 1 – Meeting Stakeholder Needs (Cont)

Page 25

Page 26

Principle 2 – Covering the Enterprise

Page 27

Principle 3 – A Single Integrated Framework

Page 28

Principle 4 – A Holistic Approach

Page 29

Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.

Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

- Governance

- Management

Principle 5 - Separate Governance from Management

Page 30

Enabling Process

Page 31

COBIT 5 – Process Reference Model

EDM01 Ensure Governance Framework Setting and Maintenance

EDM02 Ensure Benefits Delivery

EDM03 Ensure Risk Optimisation

EDM04 Ensure Resource Optimisation

EDM05 Ensure Stakeholder Transparency

Evaluate, Direct and Monitor

MEA01 Monitor, Evaluate and Assess Performance and Conformance

Monitor, Evaluate and Assess

MEA02 Monitor, Evaluate and Assess the System of Internal Control

MEA03 Monitor, Evaluate and Assess Compliance with External Requirements

APO01 Manage the IT Management Framework

APO02 Manage Strategy

APO03 Manage Enterprise Architecture

APO04 Manage Innovation

APO05 Manage Portfolio

APO06 Manage Budget and Costs

APO07 Manage Human Resources

Align, Plan and Organise

APO08 Manage Relationships

APO09 Manage Service Agreements

APO10 Manage Suppliers

APO11 Manage Quality

APO12 Manage Risk

APO13 Manage Security

BAI01 Manage Programs and Projects

BAI02 Manage Requirements Definition

BAI03 Manage Solutions Identification and Build

BAI04 Manage Availability and Capacity

BAI05 Manage Organisational Change Enablement

BAI06 Manage Changes

BAI07 Manage Change Acceptance and Transitioning

Build, Acquire and Implement

BAI08 Manage Knowledge

BAI09 Manage Assets

BAI10 Manage Configuration

DSS01 Manage Operations

DSS02 Manage Service Requests and Incidents

DSS03 Manage Problems

DSS04 Manage Continuity

DSS05 Manage Security Services

DSS06 Manage Business Process Controls

Deliver, Service and Support

Page 32

COBIT 5 – Process Reference Model

Details of Each process

Process Description

Process Purpose Statement

IT Related Goals Related Metrics

Process Goals Related Metrics

Key Management Practice RACI Chart

Inputs OutputsManagement Practice

Activities

Related StandardsPage 33

IT Controls

34

Component of IT Controls

• IT Control Environment (Entity Level Control)

• IT General Control

• IT Application Control

35

Component of IT Controls

Control EnvironmentITGC App Control

DataFiles

DataFiles

36

Controls Environment

• IT Policies & Procedures

• IT Organisation Structures (Roles & Responsibilities)

• Human Resource Management

• Tone at the Top

• Culture

37

Controls Environment

IT Policies & Procedures• IT usage policy• IT security policy• System development policy• System development and change procedures• Security Administration procedure• IT Operation procedure & manual

38

IT General Controls (ITGC)

39

IT General Control (ITGC)

• is a foundation to the overall control of the IT environment

• is mainly responsible by IT management, and mostly within the IT department

• COBIT is a good collection of all ITGC.

40

IT General Controls (ITGC)

• System development & changes

• Operation

• Disaster recovery plan

• Security Management

41

System Development &Changes

42

Who should be involve ?

• Senior management

• User management & staff

• IT management & staff

• Auditors (?)

• Project Manager

• Project Owner

• Project Sponsor

43

Type of System Development

• In-House Development• Purchase Commercial Software• Considerations

• Implementation time• Cost• Reliability• Independence• Customisation• Maintenance

Future Concern

44

Systems Development Today

45

Risks and ControlsWHAT MANAGEMENT NEEDS TO KNOW

Are we buildingthe right product?

Are we building the product right?

46

Systems Development

Initiation

Phase Control Objective

• Project objectives have been clearly defined, documented and communicated.

• Organizational structure, and reporting mechanism are properly defined.

47

Analysis

Phase Control Objective

Business and control requirements are clearly defined and documented.Requirements are consistent with objectives.

Auditing Systems Development

48

Design

Phase

•Design incorporates business requirements

•Design incorporates control requirements

•Design incorporates audit requirements

•Auditor requirements - embedded audit routines- exception reports

Auditing Systems DevelopmentControl Objective

49

Construction

Phase

New system is adequately tested

- Comprehensive test plan- Business user involvement- IS involvement- Audit involvement- Documenting test results

All requirements are tested

Auditing Systems DevelopmentControl Objective

50

Implementation

Phase

•Critical operational controls have been implemented

•Business user approval

•System is migrated via a protected environment

•System performs as designed

•Original business requirements are satisfied.

Auditing Systems DevelopmentControl Objective

51

System Implementation

• Direct cutover

• Parallel Implementation

• Pilot Implementation

• Phase (module) implementation

• System Manual

• Operation Manual

• User Manual

• User Procedural

System Documentation

52

System Changes

53

Controls must cover• Request/Approve• Feasibility Studies• Design/Construction• Testing• Programs Transfers• Parallel Testing• System Documentation

Background

General Controls - System Change

Disaster Recovery Plan

The Hamburger Model

T

H R E A T S

Your Business

Safety Net

Impact

Shield

Emergency Response

Fire, Flood, Storm, BombPower and EquipmentFailures, Computer system breakdown

Access Controls,Hazard detection &prevention, Redundancy,Backup

Evacuate, Medical,Public relation,Emergency funds

Massive disruption tobusiness operations,Adverse media coverage,Poor image,Customer confidence,Financial loss

BUSINESSCONTINUITYPLAN

DISASTERRECOVERYPLAN

What is the right approach and/or solutions?

Risk Analysis

Business Continuity Plan

• AN INTEGRATED SET OF PROCEDURES AND RESOURCE INFORMATION THAT IS USED TO RECOVER FROM AN EVENT THAT HAS CAUSED A DISRUPTION TO BUSINESS OPERATIONS.

• IT ANSWERS THE NEWSPAPER QUESTIONS:• WHO, WHAT, WHEN, WHERE, WHY, HOW

IT Operation

IT Operation comprises•Turn on/off systems •Monitor usage•Problems/incidents handling•Batch processing•Backup/Restore•Report printing & distribution

IT Operation controls•Steps are clearly defined.•Adequate training •Supervision

System Security

Security

• Security can be broadly defined as the control structure established to manage:

• Confidentiality• Integrity• Availability

• of IS data and resources.

Background

Security

Effective security includes:

• Management and administration

• Logical security

• Physical security

Background

Security

• Policy is also legal and human resources document and should be handled accordingly.

• All users should sign indicating understanding and agreement to comply with security policy.

• All users should periodically verify (typically annually) continued understanding and compliance with security policy.

Controls - Security Policy

Security

Minimum length, e.g. 8 characters

Alphanumeric plus special characters

Expire every certain days, e.g. 120 days

Non-repeatable, e.g. last 10 usages

Not easily guess password, e.g. non-dictionary words

Non-sharing

Suspense after certain numbers of invalid sign-on attempts

Non-display during log-in

Password Controls -

How well do crackers crack password?

Security

Typically involves:• Physical access to hardware, software, and data• Fire prevention, detection, and control• Environmental hazard prevention, detection, and

control

Safety of employees and personnel on-site must be first concern.

Controls - Physical Security

Security

Software-based controls that allow:

• Identification of individual users of IS data and resources

• Restrict of access to specific data or resources

• Generation of audit trails of system and user activity

Controls - Logical Security

Access Control

Sales System

Accounting System

Acc

ess

Con

trol

(O/S

)

AccessControl(A/P)

AccessControl(A/P)

Acc

ess

Con

trol

(O/S

)

Database/

Files/Tables

Introduction to OS (cont)

Access Control Program• Authentication• Authorization• Audit Logging

Introduction to OS (cont)

Authentication• Identify and confirmation of individual using pre-defined

Access data stored in the systems• Types of Authentication

- Knowledge- Possession- Characteristic

Introduction to OS (cont)

Authorisation• Check individual authorisation before allow access to

specific computer resources (e.g. data file, program, command, devices, communication capabilities, etc.)

• Individual rights & Resources protection• Best practice - allow access on a “need-to-use” basis only

Introduction to OS (cont)

Audit Logging• Recording critical activities, such as privilege ID’s, Critical

process, data, utilities usages, security events.• Reviews and Log Maintenance

DATABASE

DatePage 76

<footer>

Flat File vs Database

Database

DBMS

DBMS

Acct

Mkt

Query 1 Query 2

Finance

Prod

customer

invoices

Receipts

Products

DatePage 77

<footer>

Database Model

Use

rs

ApplicationsUser

Program

UserProgram

UserProgram

UserProgram

Trans

Trans

Trans

Trans

DBMSDataDefinitionLanguage

DataManipulationLanguage

QueryLanguage

Host OperatingSystem

PhysicalDatabase

SystemDevelopment

DatabaseAdministrator

Computer Network

Network Components

• Computer Servers/Desktops (with network communication hardware)

• Cable/wire/wireless• Network Equipment

• Router• Firewall• Bridge• Repeater

• Protocol

Network Terminology

• Public Network• Private Network• Virtual Private Network

Network Controls

• Network Design (Zoning & Segmentation)• Network Equipment placement and setting• Network security software• Others

DatePage 82

<footer>

Network Zoning

DatePage 83

<footer>

Network Equipment - Firewall

Controls• OS Controls• Firewall Admin restrictions• RuleBase Setting

Application Controls

Application Controls

• Specific to applications, and independence from other applications

• Address completeness, accuracy, validity and authorization of data being processed by the system

• Controls can be “automated” or “manual” and can be “preventive”, “detective” or “corrective”

• Automated Processing

• Level of control is depending on level of business risk

Background

Application Controls

• Application functions may not be adequately segregated

• Users may have excess system authorities

• Transactions may be entered incorrectly, incompletely, more than once, or not timely.

• Transactions may be processed incorrectly, incompletely, more than once, or not timely.

• Outputs may not be properly and safely used.

Risks

Application Controls

1. Access to application functions (Segregation of duties within application)

2. Input Controls (incl. Reject/Suspend inputs, Interfaces)1. Planning & Design2. Edit/Validate by the system, 3. Procedures to review accuracy and completeness of

input3. Processing Controls4. Output Controls (Usage & confidentiality)

Background

88

Computer Environment

Aud

it t

he G

ener

al C

ontr

ols

Audit the A

pplication Controls

Using Tools to Audit the Information

Computer Center Application

Application

DataFiles

DataFiles

89

IT Auditing Areas

90

Advice for Improvement /

Substantive Test

ControlledRisks

UncontrolledRisks

Risk

InternalControls

Controls

TestEfficiencyof controls

Audit

RISK BASE AUDIT APPROACH

91

92

Follow-Up Reporting Execution AssignmentPlanning

Auditing ProcessStrategicPlanning

93

Business Objectives

Follow-Up Reporting Execution AssignmentPlanning

StrategicPlanning

Define Auditable Areas

Risk Assessment

Define Weight of Objectives

Define Risk Factors

Assessment

PrioritiseDefine Audit Approach

Identify Resources

Audit Schedule

Audit Strategic Plan

Auditing Process

94

Obtain Understandings

Follow-Up Reporting Execution AssignmentPlanning

StrategicPlanning

System Documentation

Walk-Through Testing

Risk/Control AnalysisIdentify Risks

Risks vs Control ProceduresIdentify Key Controls

Prepare Audit Programs Procedures vs Audit Instructions

Allocate Staff

Auditing Process

95

Computer Assisted Audit Technique(CAAT)

Computer Environment

Aud

it t

he G

ener

al C

ontr

ols

Audit the A

pplication Controls

Using Tools to Audit the Information

Computer Center Application

Application

DataFiles

DataFiles

97

• Who should be responsible for CAAT ?

• Ideally, general auditor should be responsible for all steps.

• In reality, computer auditor play a supporting roles.

Nature of CAAT

98

• Mix of Computer and Manual Tests• Computer Knowledge, Expertise and Experience of the

Auditor• Reliability of General Computer Controls• Availability of CAATs and Suitable Facilities• Impracticability of Manual Audit Procedures• Effectiveness and Efficiency of the Testing• Development Time

CAAT Considerations

99

• Detailed testing of transactions, data, and processes where efficiency and effectiveness can be gained, or in case where manual testing is not possible or feasible, including

• Testing of Accuracy & Completeness of Processes

• Analysis and test of data• Fraud analysis & Evidence collection

CAAT Objectives

100

Parallel Simulation

1

Removable storage

Download2

DevelopCAAT Program

3

CO

MPA

RE

5

ApplicationProcess

Report

Run CAATProgram

4

Report

101

COPY

CopiedProgram

1

CO

MPA

RE

4

ApplicationProgram Report

Removable storage

CAAT Data

PrepareCAAT Data

2

Report

ManualCalculation

3Report

Test Data Approach / Test Transactions

102

CAAT Steps Determine if CAAT is

Appropriate ?

1DefineAudit

Objectives

2DetermineRequired

Data

3ArrangeFor data

Download

4Perform

Analysis &Testing

5Summarise

&Document

6

103

CAAT Steps Determine if CAAT is

Appropriate ?

1DefineAudit

Objectives

2DetermineRequired

Data

3ArrangeFor data

Download

4Perform

Analysis &Testing

5Summarise

&Document

6

Audit objectives should link to business risks or audit risksAuditor require an understanding of the systemConsult with system development group before finalize

MathematicsAccuracy

AnalyticalReview

Validity (exception testing & duplicates)

Completeness (gaps)

Cut-off

104

CAAT Steps Determine if CAAT is

Appropriate ?

1DefineAudit

Objectives

2DetermineRequired Data

3ArrangeFor data

Download

4Perform

Analysis &Testing

5Summarise

&Document

6

Understand business process and conditionsField and record conditionsUnderstand calculation formula and methodsConceptual designing of the testingBuild & TestActual analysis & testing

105

Audit Software

• Generalised Audit Software

• Specialised Audit Software

• Report Writer Utilities / Query Language

• Micro Computer Applications

106

107

PwC

Control quadrant: Cost vs. flexibility

High flexibility

Low flexibility

Highcost

Lowcost

Manual detective controls

Real-time detective controls

Automatedpreventive

controls

Manualpreventive

controls

*

108

Continuous Assurance

Combination of continuous auditing and audit oversight of continuous

monitoring

Continuous Auditing

Includes monitoring, assessing and mitigating risk associated with operations, finance, fraud, automatically and on a more

frequent basis.

Performed by Internal Audit or Controls Dept.

Continuous Monitoring

Includes the processes that management puts in place to ensure that the policies, procedures, and business processes are operating

effectively.

Performed by operational/financial

management

Continuous Controls MonitoringContinuous auditing overview

ANNUALRisk

AssessmentAudit Plan

FieldworkTechnology is being

applied here (in audit management and data analysis), to speed up audit

process…

Reporting Wrap-Up

Internal Audit Process Framework – as isTechnology as an enabler 110

How CM/CA should be developed.

Transactions

GL

Accounts

ProcessAnalytics

Analyze4

Manage &Report5

Approvals

AnalyticsWorkbench

Extractor Data

Acquire &Prepare3

Billing

ERP

HR

Custom

Source Systems

Planning1 Risk Assessment2

Choose the right area/business

process

Identify key risks Indicators Data require for

analysis

112