Information
Technology
Risks and
Controls
�Risk, Threat, Vulnerability
�What is Risk?
Chances of negative outcomes
A possibility that a threat is
capable of exploiting a known
weakness or vulnerability
�Business Risk
The likelihood that an organization will not
achieve its business goals and objectives
Chances of occurrence can be attributed to
internal and external factors
Auditors must first become familiar with
the enterprises Strategic Plan
�Audit Risk
The likelihood that an organizations
external auditor makes a mistake when
issuing an opinion attesting to the fairness
of its financial statements or that an IT
auditor fails to uncover a material error or
fraud.
�Audit Risk
Audit
Risk =
(AR)
Inherent
Risk (IR)
Control
Risk (CR)
Detection
Risk (DR)
�Test of Controls
Objective is to determine whether
adequate internal controls are in place and
functioning properly
Substantive Tests
Involves a detailed investigation of specific
account balances
�Zero Audit Risk?
Audit Risk cannot be reduced to zero.
Risks should be controlled at an acceptable
level and in a cost-effective manner
Residual Risk
Any risk remaining after implementation
of effective internal controls
�Security Risk
Includes risks associated with:
i) data access
ii) integrity
Physical or logical unauthorized
access to data
Risks in collecting and
processing of data
�Continuity Risk
Includes risks associated with an
information systems availability and
backup and recovery
Availability
Backup &
Recovery
Ensures that information
system is always accessible to
users
Ensures that in case of
interruption in continuity,
procedures are available to
restore data & operations
�Risk Management
Attempts to balance risk
against the needs of the organization
�The Risk Management
Process
Identify IT
Risks
Assess IT
Risks
Identify IT
Controls
Document IT
Controls
Monitor IT
Risks &
Controls
�Risk Assessment
Operational process by which risks
are identified and characterized.
�Risk and Control SelfAssessment (RCSA)
is the process of identifying, recording and
assessing potential risks and related
controls
�IT Risk Assessment
1) Identify Threats/ Exposures
Data confidentiality, availability, integrity, timeliness,
accuracy and IT infrastructure
2) Assess Vulnerabilities to Threats/
Exposures
Remote access/ on-site access by unauthorized users
3) Determine Acceptable Risk Levels
Chance is .05 %
4) Assess the Probability of Vulnerabilities
�Guesstimation
Expected
Value of =
Risk
Estimated
%
Loss from X Likelihood
Specific
of Loss
Risk
�Internal Control
Objectives
1) To safeguard assets of the firm
2) To ensure the accuracy and reliability
of accounting records and information
3) To promote efficiency of the firms
operations
4) To measure compliance with laws
and regulations
�Internal Control
Limitations
1) Possibility of Error
2) Circumvention
3) Management Override
4) Changing Conditions
�Preventive Control
Passive techniques designed to
reduce the frequency of occurrence
of undesirable events
�Detective Control
Devices, techniques and procedures
designed to identify and expose
undesirable events that elude
preventive controls
�Corrective Control
Actions that must be taken to
reverse the effects of detected
errors.
�COSO and Other
Control Models
Committee of Sponsoring
Organizations (COSO) Framework
Internal control is broadly defined as a process,
effected by an entitys Board of Directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following
categories : effectiveness and efficiency of
operations, reliability of financial reporting and
compliance with laws and regulations.
�COSO and Other
Control Models
United Kingdoms Cadbury
Commission
provided a broad definition of
internal control and stressed that it
encompasses both financial and
operational controls and that
auditors should report both
�COSO and Other
Control Models
Canadian Criteria of Control
Committee (CoCo)
similar model in definition and
elements but less complex than the
first two.
�SAS 109
Based on the COSO
framework
Describes the complex
relationship between the
firms internal controls,
auditors assessment of risk
and the planning of audit
procedures
�COBIT
Control Objectives for Information and
Related Technologies
defines a set of generic processes for the
management of IT, with each process
defined together with process inputs and
outputs, key process-activities, process
objectives, performance measures and an
elementary maturity model
�COBIT 5
[Process Reference Model]
�ITIL
Information Technology Infrastructure
Library
set of practices for IT Service
Management (ITSM) that focuses on
aligning IT services with the needs of
business
�ITIL
�ISO/IEC 27000
explains the purpose of an Information
Security Management System (ISMS)
used to manage information security risks
and controls within an organization.
�ISO/IEC 27000
�Components of
Internal Control
1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring
�Control Environment
Sets the tone for the organization
Influences the control awareness of its
management and employees
i. Integrity & ethical values
ii. Organization structure
iii. BODs and Audit Committee participation
iv. Managements philosophy and operating style
v. Procedures for delegating responsibility & authority
vi. Performance assessment method of management
vii. External influence (ex. Regulatory agencies)
viii. Policies and procedures for managing human resources
�Risk Assessment
Identify, analyze and manage risks
relevant to financial reporting
Auditors should understand how
management identifies, prioritizes
and manages the risks related to
financial reporting
�Information &
Communication
The Accounting Information
System consists of records and
methods used to initiate, identify,
analyze, classify and record the
organizations transactions and to
account for the related assets and
liabilities.
�Monitoring
Process by which the quality of
internal control design and
operation can be assessed.
2 categories:
i. Physical Controls
ii. Information Technology (IT)
Controls
�Control Activities
Policies and procedures used to
ensure that appropriate actions are
taken to deal with the organizations
identified risks
2 categories
i. Physical Controls
ii. IT Controls
�Physical Controls
Transaction Authorization
Segregation of duties
Supervision
Accounting Records
Access Control
Independent Verification
�IT Controls
Application Controls
- ensures validity, completeness &
accuracy of financial transactions
General Controls
- applies to all systems
�Documenting
IT Controls
I. Internal Control Narratives
Text describing controls over a
particular risk
Should describe the origin and
disposition of each document (paper
or electronic), list processing steps
and describe internal controls (ex.
approvals and authorizations).
�Documenting
IT Controls
II. Flowcharts
Systems flowcharts that highlights
control points
Uses symbols and connectors to
show documents, data flows and
process steps
�Documenting
IT Controls
Common Flowchart Symbols
Computer
Process
Start/
Stop
Document
Manual
Process
Data Flow
Decis
ion
Disk
Storage
Keyboard
Input
Online
Storage
�Documenting
IT Controls
III. Internal Control
Questionnaires
Lists questions about internal
control over various applications,
processes or risks.
Answerable with yes or no
