Chapter Three IT Risks and Controls Assess Risks to Strategy & Objectives Control-based vs. Risk-based Do not control for the sake of control Use Controls for RISK Management for feedback & process improvement Risk Management is a continuous process Control: a means to achieving your objectives, ≠ means to an end What is risk? Chances of Negative Outcomes Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor IT Risks and Controls Types of IT Risks ______ risk – Not achieving business goals and objectives ______ risk: (Chance of failure to uncover material error) – inherent risk: by nature doing business is risky – control risk: Internal control fails to prevent or detect – detection risk: auditor will not detect existing control failures ______ risk: data access and integrity ______ risk: availability and backup and recovery – Continuity, Security, Audit, Business An Approach to IT Risk Assessment 1. 2. 3. Identify Threats/Exposures Assess Vulnerabilities to Threats/Exposures Determine Acceptable Risk Levels and Assess probability of Vulnerabilities Assessing IT Risk Threats and vulnerabilities The expected value of risk =Estimated Loss x %Likelihood of loss Risk indicators and risk measurement – risks relative to IT processes COSO – 5 components of IC 1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring An Organization’s Control Environment is: – Tone at the top – Attitude of management about Internal Control Is Trust sufficient for Internal Control? NO! Segregation of Duties International IC Standards Cadbury (England) CoCo (Canada) Other country standards Quality Control Standards ISO 9000 series – certifies that organizations comply with documented quality standards Six Sigma – an approach to process and quality improvement – Less than six deviations from customer specifications – No more than 3.4 defects per million – DMAIC : » Define, Measure Analyze, Improve, Control Control Chart Investigate Special-cause variation Six Sigma The upper and lower specification limits (USL, LSL) are at a distance of 6σ from the mean. 3.4 per million Sigma level DPMO Percent defective Percentage yield 1 691,462 69% 31% 2 308,538 31% 69% 3 66,807 6.7% 93.3% 4 6,210 0.62% 99.38% 5 233 0.023% 99.977% 6 3.4 0.00034% 99.99966% 7 0.019 0.0000019% 99.9999981% Statements on Auditing Standards Issued by AICPA’s Accounting Standards Board SAS 78 Consideration of IC in a Financial Statement Audit: An Amendment to SAS No. 55 SAS 94 The Effect of IT on the Auditor’s Consideration of IC in a Financial Statement Audit New standards related to risk assessment ISACA’s COBit Integrates IC with information and IT Three dimensions: – information criteria, IT processes, and IT resources Requirements of quality, fiduciary, and security Domains: planning and organization, acquisition and implementation, delivery and support, and monitoring New management guidelines Systems Reliability Assurance SysTrust – Auditor provides independent assurance of client Information System – Four criteria for reliability: » availability, maintainability, integrity, security WebTrust New AICPA Trust Principles Documenting IT Controls Internal control narratives Flowcharts – internal control flowchart IC questionnaires » Do not overlook any controls when evaluating various risks » Provide auditors with opportunity to compare notes » Help in constructing an internal control narrative/flowchart Monitoring IT Risks and Controls COBit control objectives associated with monitoring Need for independent assurance and audit of IT controls Formal risk-management program? Risk = asset value x threat x vulnerability Assets: anything worthy that can be damaged Threats: Potential event that can cause undesirable impact Vulnerabilities: Problems with controls protecting assets Business or Technology Change What new threats does this change introduce? IT Risk Management Life Cycle Phase 1: Identify information assets Phase 2: Quantify and qualify threats Phase 3: Assess vulnerabilities Phase 4: Remediate control gaps Phase 5: Manage ongoing risk Phase 1: Identify information assets Define information criticality values i.e., <$100 (L), 100-5000 (M), >$5000 (H) Identify business functions Map information processes Identify information assets Assign criticality values to information assets Phase 2: Quantify and qualify threats Assess business threats Financial, Legal, Regulatory threats Identify technical, physical, administrative threats Identify process-component threats Quantify threats Degree of asset loss, Likelihood of occurrence Phase 3: Assess vulnerabilities Identify existing controls Determine process component control gaps Combine control gaps – overall risk posture Categorize control gaps by severity Assign risk ratings Phase 4: Remediate control gaps Choose controls Choosing controls - purely a business decision Rate controls by cost and effectiveness Implement controls Improperly implemented controls? ______ new controls IT Audit team test their effectiveness Recalculate risk ratings Risks after mitigation? Validate Phase 5: Manage ongoing risk Create a risk baseline Reassess risk Corporate Mergers & Acquisitions (Excellent Topic for your Final paper) New system installations Business-function Changes New laws & regulations mandate new controls Risk Management Avoid Not implement activities or processes that incur risk ______ define and implement proper controls ______ Share risk with partners or transfer to insurance ______ Formally acknowledge and monitor ______ Remove the source of the risk Eliminate, Accept, Transfer, Mitigate, Avoid? Risk Management Program Establish the purpose of the program Examples: Reduce injuries, Reduce cost of insurance Assign responsibility for the risk plan Should know: “Who is responsible?” But also, Integrate within all levels of organization Discussion Question What do you do to manage risk in your life?