Chapter Three
IT Risks and Controls
Assess Risks to Strategy & Objectives
Control-based vs. Risk-based
Do not control for the sake of control
Use Controls for RISK Management
for feedback & process improvement
Risk Management is a continuous process
Control: a means to achieving your objectives,
≠ means to an end
What is risk?
Chances of Negative Outcomes
Risk Management Process
Identify IT Risks
Assess IT Risks
Identify IT Controls
Document IT Controls
Monitor
IT Risks
and
Controls
Types of IT Risks

______ risk
– Not achieving business goals and objectives

______ risk: (Chance of failure to uncover material error)
– inherent risk: by nature doing business is risky
– control risk: Internal control fails to prevent or detect
– detection risk: auditor will not detect existing control
failures
______ risk: data access and integrity
 ______ risk: availability and backup and recovery

– Continuity, Security, Audit, Business
An Approach to IT Risk
Assessment
1.
2.
3.
Identify Threats/Exposures
Assess Vulnerabilities to
Threats/Exposures
Determine Acceptable Risk Levels and
Assess probability of Vulnerabilities
Assessing IT Risk
Threats and vulnerabilities
 The expected value of risk

=Estimated Loss x %Likelihood of loss

Risk indicators and risk measurement –
risks relative to IT processes
COSO – 5 components of IC
1. Control environment
 2. Risk assessment
 3. Control activities
 4. Information and communication
 5. Monitoring


An Organization’s Control Environment is:
– Tone at the top
– Attitude of management about Internal Control
Is Trust sufficient for Internal
Control?
NO!
Segregation of Duties
International IC Standards
Cadbury (England)
 CoCo (Canada)
 Other country standards

Quality Control Standards

ISO 9000 series – certifies that organizations
comply with documented quality standards

Six Sigma – an approach to process and
quality improvement
– Less than six deviations from customer specifications
– No more than 3.4 defects per million
– DMAIC :
» Define, Measure Analyze, Improve, Control
Control Chart
Investigate Special-cause variation
Six Sigma
The upper and lower specification limits (USL, LSL) are
at a distance of 6σ from the mean.
3.4 per million
Sigma level
DPMO
Percent defective
Percentage yield
1
691,462
69%
31%
2
308,538
31%
69%
3
66,807
6.7%
93.3%
4
6,210
0.62%
99.38%
5
233
0.023%
99.977%
6
3.4
0.00034%
99.99966%
7
0.019
0.0000019%
99.9999981%
Statements on
Auditing Standards

Issued by AICPA’s Accounting Standards Board

SAS 78 Consideration of IC in a Financial
Statement Audit: An Amendment to SAS No. 55

SAS 94 The Effect of IT on the Auditor’s
Consideration of IC in a Financial Statement
Audit

New standards related to risk assessment
ISACA’s COBit
Integrates IC with information and IT
 Three dimensions:

– information criteria, IT processes, and IT resources

Requirements of quality, fiduciary, and security
Domains: planning and organization, acquisition
and implementation, delivery and support, and
monitoring
 New management guidelines

Systems Reliability Assurance

SysTrust
– Auditor provides independent assurance of
client Information System
– Four criteria for reliability:
» availability, maintainability, integrity, security
WebTrust
 New AICPA Trust Principles

Documenting IT Controls

Internal control narratives

Flowcharts – internal control flowchart

IC questionnaires
» Do not overlook any controls when evaluating various risks
» Provide auditors with opportunity to compare notes
» Help in constructing an internal control narrative/flowchart
Monitoring IT Risks
and Controls
COBit control objectives associated with
monitoring
 Need for independent assurance and audit
of IT controls

Formal risk-management
program?
Risk = asset value x threat x vulnerability
Assets: anything worthy that can be damaged
Threats: Potential event that can cause undesirable impact
Vulnerabilities: Problems with controls protecting assets
Business or Technology Change
What new threats does this change
introduce?
IT Risk Management Life Cycle
Phase 1: Identify information assets
Phase 2: Quantify and qualify threats
Phase 3: Assess vulnerabilities
Phase 4: Remediate control gaps
Phase 5: Manage ongoing risk
Phase 1: Identify information assets
Define information criticality values
i.e., <$100 (L), 100-5000 (M), >$5000 (H)
Identify business functions
Map information processes
Identify information assets
Assign criticality values to information assets
Phase 2: Quantify and qualify
threats
Assess business threats
Financial, Legal, Regulatory threats
Identify technical, physical, administrative threats
Identify process-component threats
Quantify threats
Degree of asset loss, Likelihood of occurrence
Phase 3: Assess vulnerabilities
Identify existing controls
Determine process component control gaps
Combine control gaps – overall risk posture
Categorize control gaps by severity
Assign risk ratings
Phase 4: Remediate control gaps
Choose controls
Choosing controls - purely a business decision
Rate controls by cost and effectiveness
Implement controls
Improperly implemented controls?
______ new controls
IT Audit team test their effectiveness
Recalculate risk ratings
Risks after mitigation?
Validate
Phase 5: Manage ongoing risk
Create a risk baseline
Reassess risk
Corporate Mergers & Acquisitions
(Excellent Topic for your Final paper)
New system installations
Business-function Changes
New laws & regulations mandate new controls
Risk Management
Avoid
Not implement activities or processes that incur risk
______
define and implement proper controls
______
Share risk with partners or transfer to insurance
______
Formally acknowledge and monitor
______
Remove the source of the risk
Eliminate, Accept, Transfer, Mitigate, Avoid?
Risk Management Program
Establish the purpose of the program
Examples:
Reduce injuries,
Reduce cost of insurance
Assign responsibility for the risk plan
Should know: “Who is responsible?”
But also,
Integrate within all levels of organization
Discussion Question
What do you do to manage risk in your
life?