Professional Documents
Culture Documents
Chapter 1 MMLS
Chapter 1 MMLS
Impact of IT on organizations
IT is important in all kinds of organizations.
Therefore IT has influence on organizational risks
and controls.
IT creates opportunities, but these opportunities
bring with them many kinds of risks.
Impact of IT on organizations
Transmit
documents
electronically to
customers and
vendors
Potential failure of
electronic
communication
systems
Costs of
incorrect
decision
making
Controlled
evolution of
computer
user
Organizational
costs of data
loss
Costs of
computer
abuse
Value of computer
hardware, software
and personnel
High costs
of computer
error
Organizations
Maintenance
of privacy
Control and audit of computers
high quality
decision rules
Computer Abuse
Hacking
unauthorized electronic access to a computer system to read, modify
or delete programs/data or to disrupt services.
Viruses
programs which attach themselves to computer files to disrupt
operations or damage data or programs
2 objectives:
Replicate themselves
Deliver a payload that causes a disruption
Abuse of privileges
Use privileges for unauthorized purposes
Destruction of assets
Theft of assets
Modification of assets
Privacy violations
Disruption of operations
Unauthorized use of assets
Physical harm to personnel
Computer abuse
Losses are higher than from conventional fraud
Numbers and types of threats
seem to be increasing
Organizations are not well prepared
Deterrent security and administrative
countermeasures can be effective
Laws governing abuse are evolving
10
11
Maintenance of privacy
Taxation, credit, medical, educational, employment,
residence, spending habits
Data mining - integration, retrieval and matching profiling
Human genome banks
Regulations vary widely by country
12
13
Financial Audits
Financial statements in accordance with Generally
Accepted Accounting Principles (GAAP).
BOD, managers and personnel analyze internal
control system.
A set of rules, policies and procedures an organization implements to
provide reasonable assurance that:
its financial reports are reliable,
its operations are effective and efficient,
its activities comply with applicable laws and regulations
Control activities
Control activities are the policies and procedures the
organization uses to ensure that necessary actions
are taken to minimize risks associated with achieving
its objectives.
Controls have various objectives and may be applied
at various organizational and functional levels.
Control Usage - Prevent, Detect, and Correct
Preventive controls focus on preventing an error or irregularity.
Detective controls focus on identifying when an error or irregularity
has occurred.
Corrective controls focus on recovering from, repairing the damage
from, or minimizing the cost of an error or irregularity.
15
Control Activities
Physical controls: security over the assets themselves,
limiting access to the assets to only authorized people and
periodically reconciling the authorized people, and
periodically reconciling the quantities on hand with the
quantities recorded in the organizations records.
Information processing controls are used to check accuracy,
completeness, and authorization of transactions.
General controls cover data center operations, systems software
acquisition and maintenance, access security, and application systems
development and maintenance.
Application controls apply to the processing of a specific application,
like running a computer program to prepare employee's payroll checks
each month.
16
18
Organizations
Improved
safeguarding
of assets
Improved
data
integrity
Improved
system
effectiveness
Use
resources
efficiently
21
IT Audit Skills
College education IS, computer science, accounting
Certifications
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
24
IT Audit Skills
General Personal and Business Skills
25
Professional IT Auditor
Organizations
The groups include:
27
Professional IT Auditor
Certifications
28