Uploaded by Solomon A.

Risk Assessment Slides

advertisement
1
RISK ASSESSMENT AND AUDIT
Risk
Assessment
Risk Assessment (RA)
• Control assessment performed on controls that are current concerns/interest to
the organization from the applicable frameworks used by an organization.
• The assessed controls usually validate the company's policy to confirm
whether they are appropriate.
• This involves determining the Risk level of identified control weaknesses from
the product of likelihood and impact of such weaknesses.
• RA primary aim is to eliminate & reduce the Risk by correcting the internal
control weaknesses.
Types of Risk assessment:
• Qualitative assessment- Subjectivity & Risk impact are based
assumption/probability (Medium, low or High)
• Quantitative assessment- Objectivity & Measurable/predefined data
(Time, cost & impact)
($10,000-$50,000 or $100,000-$200,000)
Risk Assessment
Basic steps for performing Risk assessment
• Identify application for assessment
• Prepare for Risk assessment- individuals such Risk Assessor, Devops,
engineers, IT Managers ,Risk manager, Business unit, process owner etc
• Conduct the Risk assessment- testing
• Identify threat sources & events
• Identify Vulnerabilities
• Determine likelihood of occurrence
• Determine magnitude of impact
• Determine the Risk
• Communicate Risk assessment result- reporting & metric
• Evergreen- lessons learnt & continuous improvement etc
RA Tool
Archer: This is used in Creating, tracking; updating & monitoring inventory of all
risk action required & allow you to make changes/set deadlines for those actions
needed & monitor progress changes on each activity.
3
4
5
IRM Checklist Review
6
IRM Checklist Review
7
IT Government Audit
• General Computer controls (GCC) & application Controls Table
• COSO, COBIT & SOX
• FISCAM, FISMA & A-123 Audit
• GCC & application controls
• FISMA Audit
• Class quiz & Exercise
8
9
10
11
IT Government Audit
COSO, COBIT & SOX
COSO - Committee of Sponsoring Organizations of the Treadway Commission established
in
1985 to provide integrated guidance or an Enterprise Risk Management (ERM) framework
(or guide) against which companies and organizations may assess their internal controls.
• Defined three internal control objectives :
o effectiveness and efficiency of operation, reliability of financial reporting and
compliance with applicable laws and regulations.
Defined five internal control components
o control environment, risk assessment, control activities, information and
communication, and monitoring.
12
IT Government Audit
COSO CUBE
IT Government Audit
13
COBIT – Control Objectives for IT
COBIT - was designed (by ISACA and IT Governance Institute) to be part of and enhance COSO with
respect to IT as COBIT better targets the IT processes, providing more
detailed guidance than COSO.
COBIT 5 Framework released in April 2012 has 37 control objectives/processes and 5 domains (i.e control
groups/buckets) of Evaluate, Direct and Monitor (EDM), Align, Plan and Organize (APO), Build, Acquire and
Implement (BAI), Deliver, Service and Support (DSS), and Monitor, Evaluate and Assess (MEA)
COBIT 2019 is the latest updated framework (www.isaca.org/cobit).
Information Technology Infrastructure Library (ITIL), and the International Organization for
Standardization (ISO) are international internal control equivalents of COBIT.
14
IT Government Audit
COBIT 2019 Framework – Core Model
IT Government Audit
SOX – Sarbanes - Oxley Act (2002)
• SOX Named after its sponsors, U.S. Senator Paul Sarbanes (D-MD) and U.S.
Representative Michael G. Oxley (R-OH).
• The Act was in response to major corporate and accounting scandals such as at Enron and
WorldCom.
• SOX section 404 requires top management of commercial public companies (such as CEO
and CFO) registered with the Stock Exchange Commission (SEC) evidenced with its shares
trading on the Stock Exchange to certify the accuracy of their annual financial statements
and include a report on the effectiveness of internal controls based on the annual SOX
testing.
• SEC is charged with ensuring compliance with this Act and in turn established the Public
Company Accounting Oversight Board (PCAOB) as the regulator.
• Compliance with SOX can be achieved with COSO and COBIT.
15
16
17
IT Government Audit
SOX Control Objectives
• IT Governance Institute (ITGI) identified the following 12 control objectives for SOX from COBIT
and PCAOB auditing standards.
• IT controls should only be part of the SOX 404 assessment to the extent that specific financial
risks are addressed. These control objectives over financial reporting are contained in the “IT
Control Objectives for Sarbanes-Oxley”.
• The 12 controls are further reduced into 3 primary control objectives known as IT General
controls (ITGCs) that all organizations are expected to have in place:
• Access control (including system and physical security)
• Change management (including system configuration and development)
• IT Operations(including backup and job scheduling)
18
19
IT Government Audit
SOX 12 Control Objectives
•
•
•
•
•
•
•
•
•
•
Acquire and maintain application software;
Acquire and maintain technology infrastructure;
Enable operations;
Install and accredit solutions and changes;
Manage changes; Define and manage service levels;
Manage third-party services;
Ensure systems security; Manage the configuration;
Manage problems and incidents;
Manage data; and
Manage the physical environment and operations.
20
IT Government Audit
SOX Control Types
• Preventive and, Corrective, Detective controls – prevent and detect
likely risks
•
Key controls - primary, important or significant controls which the
organization needs to have in place such as ITGCs.
• Non-Key controls - secondary or additional controls that may have
been addressed by a primary control.
• Testing is focused on key controls in order to save time and focus on
controls that address higher risks (i.e., risk-based audit).
IT Government Audit
21
SOX Control Testing- SOX testing phases• Testing is focused on key controls in order to save time and focus on controls that
address higher risks (i.e., risk-based audit).
• Planning Phase - controls to test would be selected from the above controls relevant to
the client to create a control matrix (containing the risk and associated controls), or from
client’s established control matrix.
• create the audit request/PBC List which is sent to the client, or the group being audited to
obtain evidence needed for the audit
• Fieldwork
• Reporting
• Follow Up
22
Summary Learning
GCC- 40%
Frameworks- 40%
GCC Audit process- 20%
23
Download