Information

Technology
Risks and
Controls

Risk, Threat, Vulnerability

What is Risk?
Chances of negative outcomes
A possibility that a threat is
capable of exploiting a known
weakness or vulnerability

Business Risk
The likelihood that an organization will not
achieve its business goals and objectives
Chances of occurrence can be attributed to
internal and external factors
Auditors must first become familiar with
the enterprises Strategic Plan

Audit Risk
The likelihood that an organizations
external auditor makes a mistake when
issuing an opinion attesting to the fairness
of its financial statements or that an IT
auditor fails to uncover a material error or
fraud.

Audit Risk

Audit
Risk =
(AR)

Inherent
Risk (IR)

Control
Risk (CR)

Detection
Risk (DR)

Test of Controls
Objective is to determine whether
adequate internal controls are in place and
functioning properly

Substantive Tests
Involves a detailed investigation of specific
account balances

Zero Audit Risk?

Audit Risk cannot be reduced to zero.
Risks should be controlled at an acceptable
level and in a cost-effective manner

Residual Risk
Any risk remaining after implementation
of effective internal controls

Security Risk
Includes risks associated with:
i) data access
ii) integrity
Physical or logical unauthorized
access to data
Risks in collecting and
processing of data

Continuity Risk
Includes risks associated with an
information systems availability and
backup and recovery

Availability
Backup &
Recovery

Ensures that information

system is always accessible to
users
Ensures that in case of
interruption in continuity,
procedures are available to
restore data & operations

Risk Management
Attempts to balance risk
against the needs of the organization

The Risk Management

Process
Identify IT
Risks
Assess IT
Risks
Identify IT
Controls

Document IT
Controls

Monitor IT
Risks &
Controls

Risk Assessment
Operational process by which risks
are identified and characterized.

Risk and Control SelfAssessment (RCSA)

is the process of identifying, recording and
assessing potential risks and related
controls

IT Risk Assessment
1) Identify Threats/ Exposures

Data confidentiality, availability, integrity, timeliness,

accuracy and IT infrastructure

2) Assess Vulnerabilities to Threats/

Exposures

Remote access/ on-site access by unauthorized users

3) Determine Acceptable Risk Levels

Chance is .05 %

4) Assess the Probability of Vulnerabilities

Guesstimation

Expected
Value of =
Risk

Estimated
%
Loss from X Likelihood
Specific
of Loss
Risk

Internal Control
Objectives
1) To safeguard assets of the firm
2) To ensure the accuracy and reliability
of accounting records and information
3) To promote efficiency of the firms
operations
4) To measure compliance with laws
and regulations

Internal Control
Limitations
1) Possibility of Error

2) Circumvention
3) Management Override
4) Changing Conditions

Preventive Control
Passive techniques designed to
reduce the frequency of occurrence
of undesirable events

Detective Control
Devices, techniques and procedures
designed to identify and expose
undesirable events that elude
preventive controls

Corrective Control
Actions that must be taken to
reverse the effects of detected
errors.

COSO and Other

Control Models
Committee of Sponsoring
Organizations (COSO) Framework
Internal control is broadly defined as a process,
effected by an entitys Board of Directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following
categories : effectiveness and efficiency of
operations, reliability of financial reporting and
compliance with laws and regulations.

COSO and Other

Control Models
United Kingdoms Cadbury
Commission
provided a broad definition of
internal control and stressed that it
encompasses both financial and
operational controls and that
auditors should report both

COSO and Other

Control Models
Canadian Criteria of Control
Committee (CoCo)
similar model in definition and
elements but less complex than the
first two.

SAS 109
Based on the COSO
framework
Describes the complex
relationship between the
firms internal controls,
auditors assessment of risk
and the planning of audit
procedures

COBIT
Control Objectives for Information and
Related Technologies
defines a set of generic processes for the
management of IT, with each process
defined together with process inputs and
outputs, key process-activities, process
objectives, performance measures and an
elementary maturity model

COBIT 5
[Process Reference Model]

ITIL
Information Technology Infrastructure
Library
set of practices for IT Service
Management (ITSM) that focuses on
aligning IT services with the needs of
business

ITIL

ISO/IEC 27000
explains the purpose of an Information
Security Management System (ISMS)
used to manage information security risks
and controls within an organization.

ISO/IEC 27000

Components of
Internal Control
1) Control Environment

2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring

Control Environment
Sets the tone for the organization
Influences the control awareness of its
management and employees
i. Integrity & ethical values
ii. Organization structure
iii. BODs and Audit Committee participation
iv. Managements philosophy and operating style
v. Procedures for delegating responsibility & authority
vi. Performance assessment method of management
vii. External influence (ex. Regulatory agencies)
viii. Policies and procedures for managing human resources

Risk Assessment
Identify, analyze and manage risks
relevant to financial reporting

Auditors should understand how

management identifies, prioritizes
and manages the risks related to
financial reporting

Information &
Communication
The Accounting Information
System consists of records and
methods used to initiate, identify,
analyze, classify and record the
organizations transactions and to
account for the related assets and
liabilities.

Monitoring
Process by which the quality of
internal control design and
operation can be assessed.
2 categories:
i. Physical Controls
ii. Information Technology (IT)
Controls

Control Activities
Policies and procedures used to
ensure that appropriate actions are
taken to deal with the organizations
identified risks
2 categories
i. Physical Controls
ii. IT Controls

Physical Controls
Transaction Authorization
Segregation of duties

Supervision
Accounting Records
Access Control
Independent Verification

IT Controls
Application Controls
- ensures validity, completeness &
accuracy of financial transactions

General Controls
- applies to all systems

Documenting
IT Controls
I. Internal Control Narratives
Text describing controls over a
particular risk
Should describe the origin and
disposition of each document (paper
or electronic), list processing steps
and describe internal controls (ex.
approvals and authorizations).

Documenting
IT Controls
II. Flowcharts
Systems flowcharts that highlights
control points
Uses symbols and connectors to
show documents, data flows and
process steps

Documenting
IT Controls
Common Flowchart Symbols
Computer
Process
Start/
Stop

Document

Manual
Process

Data Flow

Decis
ion

Disk
Storage

Keyboard
Input

Online
Storage

Documenting
IT Controls
III. Internal Control
Questionnaires
Lists questions about internal
control over various applications,
processes or risks.
Answerable with yes or no