it risks and controls revised on 2014. content internal control what is internal control? ...
TRANSCRIPT
IT Risks and Controls
Revised on 2014
Content• Internal Control
What is internal control?Objectives of internal controls Types of internal controlsElements of internal controlsCategories of internal controls
• Risk Risk management control Types of risk Risk IT framework by ISACA
CIS
B424,
Sulfeeza
Internal ControlAny action taken by management to enhance the likehood that established objectives and goals will be achieved
(Source: Cascarino, 2012)
Objectives and goals of an organization can be divided into:a) Corporate objectives – the statement of
corporate intentb) Management objectives – how the corporate
objectives will be met
CIS
B424,
Sulfeeza
Internal ControlWhose responsibility?• Management is responsible to ensure
that controls are properly planned, organized and directed
a) Planning – establishing control objectives, goals and choosing the preferred method of utilizing resources
b) Organizing – gathering the required resources and arranging them so that objectives may be attained
c) Directing – authorizing, instructing and monitoring performance
CIS
B424,
Sulfeeza
Objectives of Internal Control1.Reliability and integrity of
information2.Compliance with policies, plans,
procedures, laws and regulations3.Safeguarding assets4.Effectiveness and efficiency of
operations
CIS
B424,
Sulfeeza
Types of Internal Control1. Preventive controls – Steps designed to keep
errors or irregularities from occurring in the first place
2. Detective controls – steps designed to detect errors or irregularities that may have occurred
3. Corrective controls - steps designed to correct errors or irregularities that have been detected
4. Directive controls – steps designed to produce positive results and encourage acceptable behaviors
5. Compensating controls – a weakness in one control may be compensated by another control elsewhere
(Source: Cascarino, 2012; https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf)
CIS
B424,
Sulfeeza
Elements of Internal ControlManagement must ensure the followings when designing internal controls: 1. Segregation of duties2. Competence and integrity of people3. Appropriate level of authority4. Accountability5. Adequate resources6. Supervision and review
(Source: Cascarino, 2012)
CIS
B424,
Sulfeeza
Limitations of Internal Control1. Judgment - the effectiveness of controls will be limited by
decisions made with human judgment under pressures to conduct business based on the information available at hand.
2. Breakdowns - even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems.
3. Management Override - high level personnel may be able to override prescribed policies or procedures for personal gains or advantages. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes.
4. Collusion - control system can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems.
(Source: https://intraweb.stockton.edu/eyos/internal_audit/content/docs/icnote2.pdf)
CIS
B424,
Sulfeeza
Categories of IT controls• Objectives of IT controls are related to
the confidentiality, integrity, availability of data and the overall management of IT function in an organization
• IT controls can be categorized as:1. IT general controls 2. IT application controls
(Source: Wikipedia)
CIS
B424,
Sulfeeza
IT General Controls• Helps to ensure the reliability of
data generated by IT systems• Areas included:
1. General IT controls2. Computer operations3. Physical security4. Logical security5. Program change control6. Systems development
(Source: Cascarion, 2012, Wikipedia)
CIS
B424,
Sulfeeza
IT Application Controls• Helps to ensure the completeness and
accuracy of data processing, from input to output
• Among the controls that can be implemented:1. Completeness check2. Validity check3. Identification4. Authentication5. Authorization6. Input controls7. Forensic controls
(Source: Wikipedia)
CIS
B424,
Sulfeeza
IT Application Controls1. Completeness check – controls that ensure all
records were processed from initiation to completion2. Validity check – controls that ensure only valid data in
input or processed3. Identification - controls that ensure all users are
uniquely and irrefutably identified4. Authentication – controls that provide an
authentication mechanism in the application system5. Authorization – controls that ensure only approved
business users have access to the application system6. Input controls – controls that ensure data integrity
fed from upstream sources into the application systems
7. Forensic controls – control that ensure data is scientifically and mathematically correct based on inputs and outputs
(Source: Wikipedia)
CIS
B424,
Sulfeeza
Policies
IT Standards
Management and Organization
Physical and Environmental Controls
Systems Software Controls
Systems Development Controls
Application – based controls
IT General and Application Controls
Hierarchy
Govern
ance
Man
ag
em
ent
Tech
nic
al
CIS
B424,
Sulfeeza
RisksA probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action
(Source: BusinessDictionary.com)
CIS
B424,
Sulfeeza
RisksSo what are threat and vulnerabilities?• Threat – A possible danger that might exploit a vulnerability to breach security and thus cause possible harm (Source: Wikipedia)
•Vulnerabilities - A weakness of an asset or group of assets that can be exploited by one or more threats(where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission)
(Source: ISO) CIS
B424,
Sulfeeza
Types of Risks1. Business Risk – The possibility that a company
will have lower than anticipated profits, or that it will experience a loss rather than a profit (Source:
Investopedia)
2. Audit Risk a) Inherent Risk – The probability of loss arising
out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances
(Source: BusinessDictionary.com)
b) Control Risk – The likelihood that the control processes established to manage inherent risk are proved to be ineffective (Source: Cascariona, 2012)
c) Residual Risk – The risk that significant business exposures have not been adequately addressed by the audit process(Source: Cascariona, 2012)
3. Continuity Risk – The possibility that a company will not be able to continue its operations due to weakness in control
CIS
B424,
Sulfeeza
IT Risks
The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence
(Source: ISO)
CIS
B424,
Sulfeeza
Categories of IT Risks
1. IT service delivery risk - associated with the performance and availability of IT services
2. IT solution delivery/benefit realization risk - associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs
3. IT benefit realization risk - associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or to use technology as an enabler for new business initiatives
CIS
B424,
Sulfeeza
Risk ManagementThe process which aims to help organizations to understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure
(Source: Institute of Risk Management)
CIS
B424,
Sulfeeza
Risk IT Framework
CIS
B424,
Sulfeeza
Domains of Risk IT Framework
a)Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.
b)Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms.
c)Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.
CIS
B424,
Sulfeeza
Domains of Risk IT Framework
a)Risk Governance — Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return.
b)Risk Evaluation — Ensure that IT-related risks and opportunities are identified, analyzed and presented in business terms.
c)Risk Response — Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities.
CIS
B424,
Sulfeeza