This Lecture Covers

• IT Control Frameworks

Liberating Control from Fin Reptg

• ITCG

• COBIT

• New frameworks such as AICPA/CICA SysTrust Principles and Criteria for Systems Reliability

Control Frameworks

CICA

ControlIssues

MinimumControl

Standards

ControlObjectives

C ontrol Tec hniques A 1 -1 , A 1 -2 , A 1 -3 , A 2 -1 ,B 1 -1 , etc . etc . etc ., etc . etc ., etc . etc .

InformationTechnology

Planning

Responsibility for Risk Management

and Control

A1 A2

A B

B 1 etc

C D

etc etc etcetcetc

etc . etc .

etc

etc

etc

ISACA

• Introduced CoBIT, CoBIT2, CoBIT3 (2000)

• Emphasized IT controls

• Identifies 34 high level control objectives

• Has 302 recommended detail control objectives

• Complex to use

• Becoming widely accepted

ISACA

Information C riteria

IT P

rocess

es

Pe

op

le

Ap

pli

ca

tio

n S

ys

tem

s

Da

ta

Te

ch

no

log

y

Fa

cil

itie

s Domains

Processes

A ctivities/T asks

ISACA

Comparison of Control ModelsCOSO COCO SYSTRUST v. 3

Environment

Risk Assessment

Purpose Commitment

Policies

Control Activities Communication

Information & Communication

Capability

Procedures

Monitoring & Learning Monitoring & Learning Monitoring

Control environment

• Management philosophy and operating style - attitudes toward financial reporting. risk taking, meeting budgets etc. - these have a significant impact on the control structure

• Organizational structure - consider form and nature of org. units and assign authority and responsibility appropriately

• Audit committee - should have an active one

Control environment (cont’d)

• Effective methods to communicate and assign responsibility

• Effective management control methods

• Proper system development methodology - for developing and modifying systems and procedures, including programs

• Effective personnel methods - hiring, firing,

evaluating, promoting and compensating

• External controls - such as

regulatory agencies

Risk Assessment

Identify control objectives/ requirements of users, regulators and other stakeholders (e.g., availability, security, integrity & maintainability

Assess risks by anticipating/ forecasting threats that can lead to system errors, faults, failures

Select controls/ countermeasures to deter, prevent, detect and correct unacceptable errors, faults and failures and tolerate acceptable errors, faults and failures

• Categories of exposures - (1) potential disasters such as interruption, loss of data, material inaccuracies, manipulation, and (2) competitive disadvantage - loss of position, inefficient use of IT, excessive technology expenditures, etc.

• Exposure weights - distinguish the severity of different types of consequences - frauds vs. errors - one may be more significant than other at any time (frauds due to mgmt. override are severe or continuing error because of control weakness may be worse at times)

• Risk and magnitude must be assessed before preventive/detective controls introduced

Risk Assessment

Infra

structure Software People Procedures Data

Policy

Communication

Procedures Availability

Monitoring

Policy

Communication

Procedures Security

Monitoring

Policy

Communication

Procedures Integrity

Monitoring

Policy

Communication

Procedures

Maintain ability

Monitoring

Risk AssessmentIdentify Sources of Exposures and Degrees of Risk

Risk Assessment Warning signs in systems that problems exist include

• recurring system outages

• constant redoing of apps

• repeated requests for hardware replacements

• recurring system conversions

• rapidly growing budget

• excessive reliance on outsiders

• high staff turnover

• no long term plans

• continual dissatisfaction with info

• persistent errors

• hard to communicate with IT personnel

Risk Assessment

Strategies for Dealing with Risks

• need to reduce risk to acceptable level - never achieve 0 -

comparing costs/benefits

• use of deterrent, directive, preventive controls

• assess probability of loss occurring from exposure

• prob. of control system failure - can’t prevent all errors

• determine potential size of loss consequences

• use weighted exposure - assess prob * loss * importance

• use of detective controls - maximize chance at detection

Control Activities • Performance reviews - comparison of actual versus

budget, analyses and follow-ups; corrective action

• Information processing - general and application controls

• Physical controls - asset safeguarding, access controls, periodic counts and reconciliations of assets/records

• Segregation of duties - - authorizing - recording - custody

Information & Communication

• Information - methods and records to:

- identify and record all valid transactions

- properly classify transactions

- measure value

- record in proper time period

- present/disclose in f/s

• Communication - roles and responsibilities

Monitoring and Learning

• Monitoring - by management is critical

• Internal and external monitoring (customers, suppliers, etc.)

• CIO, CTO

• Steering committee to represent all key areas

• Internal audit, external audit

• External intelligence gathering firms such as

Gartner, Forrester, Jupiter, etc.

Limitations of Internal Control

• Circumvention by collusion or management override

• Cost/benefit trade-offs: operating efficiency vs. complex controls

• Changing conditions that may cause deterioration

• Materiality limits

• Reliance on human judgement in design and implementation of controls