Internal Auditing - CH7 - IT Risks and Controls

Card Set Information

Internal Auditing - CH7 - IT Risks and Controls
2014-10-26 14:53:59
Internal Auditing CH7 IT Risks Controls

Internal Auditing - CH7 - IT Risks and Controls
Show Answers:

  1. Information Systems (IS) Auditor
    • – refers to an auditor who works extensively in the area of computerized information systems
    • and has deep IT risk, control, and audit expertise
  2. Information Systems (IS) Auditor 
    Must Possess
    • n1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform
    • their assigned work.  However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

    n1220.A2 – In exercising due professional care, internal auditors must consider the use of technology-based auditing and other data analysis techniques.

    • n2110.A2 – The internal audit activity must assess whether the information technology
    • governance of the organization supports the organization's strategies and objectives.

    • n2120.A1 – The internal audit activity must evaluate risk exposures relating to the
    • organization’s…information systems…

    • n2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of
    • controls in responding to risks within the organization’s…information systems…
  3. Role of Internal Audit
    nTo fulfill it’s IT-related responsibilities, an internal audit function must:

    nInclude the organization’s information systems in its annual audit planning process.

    nIdentify and assess the organization’s IT risk.

    nEnsure that is has sufficient IT audit expertise.

    nAssess IT governance, management and technical controls.

    nAssign auditors with appropriate levels of IT expertise to each assurance engagement.

    nUse technology-based audit techniques, as appropriate.
  4. Key Components of Modern IS
    • nComputer hardware – Physical components of information systems (e.g., servers,
    • terminals, computer chips)

    • nNetworks – Links two or more computers or devices together so that they can share
    • information and/or workloads

    • nComputer software – Includes operating system software, utility software database
    • management systems, application and firewall software.

    nDatabase – Large repository of data, typically contained in many linked files and stored in a manner that allows the data to be easily accessed, retrieved, and manipulated.

    • nInformation – Information systems collect and store data, transform the data into useful
    • information, and provide the information to internal and external decision makers.

    nPeople – There are several information systems roles that exists and can include the CIO, a database administrator, system developers, and data processing personnel
  5. Big Data
    • nA term used to refer to the large amount of constantly streaming digital information, massive increase in the capacity to store large amounts of data, and the amount of data processing power required to manage, interpret, and analyze the large volumes
    • of digital information.
  6. IT Risks
    • nComputer hardware is susceptible to power outages that interrupt the processing of
    • transactions.

    nNetworks transmit information that may be intercepted and stolen or misused.

    • nComputer software that is inaccurately programmed may produce invalid, incomplete,
    • and/or inaccurate information.

    nDatabases may be infiltrated for the purpose of misappropriating or misusing information.

    nInformation that is invalid, incomplete, and/or inaccurate may result in poor decisions.

    • nA person may perform incompatible IT duties and thus be in a position to perpetrate and
    • conceal errors or fraud.
  7. Selection Risk
    • refers to the selection of an IT solution that is misaligned with strategic objectives, may
    • preclude the execution of the IT-dependent strategy
  8. Development, Acquisition and Deployment Risk
    n- refers to problems encountered as during the development, acquisition or deployment of an IT solution, which may cause unforeseen delays, cost overruns, or even abandonment of the project.
  9. Availability Risk
    refers to the system being unavailable when needed, which may cause decision-making delays, business interruptions, lost revenue, and customer dissatisfaction
  10. Hardware and Software Risk
    • nrefers to the failure of hardware and/or software to perform properly, which may cause business interruptions, temporary or permanent damage to or destruction of
    • data, and hardware/software repair or replacement costs.
  11. Access Risk
    • refers to unauthorized physical or logical access to
    • the system, which may result in theft or misuse of hardware, malicious software
    • modifications, and theft, misuse, or destruction of data
  12. System Reliability and Information Integrity Risk
    • Systematic errors or inconsistencies in processing may produce irrelevant, incomplete, inaccurate, and/or untimely information – which may adversely affect the
    • decisions that are based on the information
  13. Confidentialityand Privacy Risk
    Unauthorized disclosure of business partners' proprietary information or individuals' personal information may result in loss of business, lawsuits, negative press, and reputation impairment.
  14. Fraud and Malicious Acts Risk
    Theft of IT resources, intentional misuse of IT resources, or intentional distortion or destruction of information may result in financial losses and/or misstated information that decision makers rely upon
  15. IT in relation to ERM
    • Internal environment -
    • nDirecting and overseeing the organization's IT governance process.
    • nEstablishing the organization's IT risk appetite and defining IT risk tolerance thresholds.

    • nObjective setting –  
    • nBecause IT enables the execution of business strategies and the achievement of business objectives, the strategic management of IT operations must be
    • aligned with the overall strategic management of the organization.

    • Event identification -
    • Examples of risk events were described above in the section titled IT Risks

    • Risk assessment -
    • nThis assessment involves an analysis of the potential adverse consequences and causes of the risk events.
    • nThe residual impact and likelihood of the identified IT risk events must also be assessed, taking into consideration existing risk management deficiencies.

    • Risk response -
    • Risk acceptance is an appropriate response for IT risk events with inherent impact
    • and likelihood levels that do not exceed management's risk tolerance

    Control Activities - Appropriate risk response policies must be defined and procedures 

    • Information and communication -
    • For example, information pertinent to identifying, assessing, and responding to IT risk events must be communicated throughout the organization

    • Monitoring -
    • Management is responsible for monitoring the IT risk management process, including the IT
    • control process, over time to ensure that the process continues to operate  effectively and efficiently
  16. IT Control Framework
    • Governance
    • Management
    • Technical
  17. IT Control Framework
  18. IT Control Framework
    • Standards
    • Organizations and Management
    • Physical and Environmental Controls
  19. IT Control Framework
    • Systems Software Controls
    • Systems Development Controls
    • Application based Controls
  20. IT Governance Controls
    • nIT governance controls comprise IT policies.  These policies establish the nature of the controls that should be in place and
    • address:

    nA general policy on the level of security and privacy throughout the organization.

    nA statement on the classification of information and the rights of access at each level.

    • nA definition of the concepts of data and systems ownership, as well as the authority
    • necessary to originate, modify, or delete information.

    nPersonnel policies that define and enforce conditions for staff in sensitive areas.

    Definitions of overall business continuity planning requirements
  21. IT Management Controls
    nIT standards support IT policies by more specifically defining what is required to achieve an organization’s objectives.

    • nExample – System development processes: When organizations develop their own
    • applications, standards apply to the process for designing, developing, testing, implementing and maintaining information systems and programs
  22. IT Management Controls 
    nSegregation of duties
    provides assurance that no single individual can use IT to both perpetrate and conceal errors or fraud.  Examples include:

    • nInitiating, authorizing, inputting, processing, and checking data should be separated to
    • the extent possible.

    • nSystem access privileges should be aligned with individuals' responsibilities for accessing
    • and processing information.
  23. IT Management Controls 
    protect against cost overruns in developing and implementing information systems and also provide assurance that investments in IT technology yield expected returns and cost savings.
  24. IT Management Controls 
    IT change management controls
    • provide assurance that changes to the IT environment, system, software, and data are
    • properly authorized and appropriate and also provide assurance that any changes made  produce the desired  results.
  25. IT Management Controls 
    nIT Physicaland environmental controls
    • protect information system resources (hardware, software, documentation, and information) from accidental or intentional
    • damage, misuse, or loss.

    • nExamples include:
    • nLocating servers in a locked room where access is restricted.
    • nRestricting server access to specific individuals.
    • nProviding fire detection and suppression equipment.
    • nHousing sensitive equipment, applications and data away from environmental hazards.
  26. IT Technical Controls
    • nSystem software controls restrict
    • logical access to the organization's systems and applications, monitor system usage, and generate audit trails.

    • nExamples include:
    • nAccess rights allocated and controlled according to the organization’s stated policy.
    • nDivision of duties enforced through system software and other configuration controls.
    • nIntrusion testing performed on a regular basis.
    • nChange management processes to ensure tightly controlled process for applying all
    • changes and patched to software, systems, etc.
  27. IT Technical Controls
    nApplication-based controls are implemented to ensure that:

    • nAll input data is accurate, complete, authorized and correct.
    • nAll data is processed as intended.
    • nAll data stored is accurate and complete.
    • nAll output is accurate and complete.
    • nA record in maintained to track the process of data from input to storage and to the
    • eventual output.
  28. IT Technical Controls (TYPES)
    nApplication-based controls include:

    • nInput controls
    • – used mainly to check the integrity of data entered into a business application (e.g., range check, sign check)

    • nProcessing controls
    • – provide automated means to ensure processing is complete, accurate and authorized (e.g., error listings)

    • nOutput controls
    • – address what is done with the data (e.g., distribution controls)

    • nIntegrity controls –
    • can monitor data in the process and / or storage to ensure that data remains consistent and correct

    • nManagement trail
    • – processing history controls, often referred to as an audit trail, enable management to
    • track transactions from the source to the ultimate results and to trace backward from results to identify the transactions and events they record.
  29. Integrated Auditing
    nThe integration of IT controls directly into business processes, together with the availability of user-friendly CAATs, is prompting a growing number of internal audit functions to adopt an approach referred to as integrated auditing.

    • nInstead of conducting separate assurance engagements focused strictly on process-level  IT risks and controls, these internal audit  functions assimilate IT risk and control assessments into assurance engagements
    • conducted  to assess process-level
    • financial reporting, operations, and/or compliance  risks and controls.

    • nInternal audit functions that have adopted integrated auditing are finding that  this approach benefits their organizations by
    • improving  both the effectiveness and
    • efficiency of their  internal audit  assurance services.

    • nIntegrated assurance engagements are more effective because the internal auditors are in a
    • much better position to assess the auditee's entire risk portfolio and reach an overall conclusion about the design adequacy and operating effectiveness of controls.
  30. Continuous Auditing
    • nThe internal audit function's continuous audit responsibility is to assess the effectiveness
    • of management's continuous monitoring activities.

    • nIn areas of the organization in which management has implemented an effective ongoing monitoring process, internal auditors can conduct less stringent continuous
    • assessments of risk and controls.

    • nConversely, if continuous monitoring is nonexistent or ineffective, the internal audit
    • function must perform more rigorous ongoing risk and control assessments.