Professional Documents
Culture Documents
IT Risk Control and Audit
IT Risk Control and Audit
IT Risk Control and Audit
1
Audit the Application Controls
Audit the General Controls
Computer Environment
Computer Center Application
Application
Data Data
Files Files
• Increase Productivity
• Providing of New Services
• Competitive Advantage
• Better Decision Making
• Improve Company Image
• Complexity of Controls
• Increase Reliance on System
• Increase Risks
• Lack of Technical Personnel
3
Impacts of IT on Internal Control & Audit
• Transaction Trails
• Uniform processing of transactions
• Segregation of functions
• Potential for errors and frauds
• Potential for increase management
supervision
• Initiation or subsequent execution of
transactions by computers
• Dependence of other controls
4
5
Risks
Definitions
6
Risk Management Process
IT objectives should be
define in such a way that
All steps would be inline with business
monitored to ensure objectives. 7 IT objectives
that risk and could be used as a basis.
response are align at Understand
all time Objectives
Monitoring
Anything that can affect
Identify ability to achieve above
Risks objectives.
8
IT Identification
2. Risk Identification
People, Process & Technology
• System design (input,
Internal & External process & output)
Hazard, Uncertainty & Opportunity
• Hackers &
Root Cause Unauthorised access
9
Risk Definition
10
Risk Response
1. Accepting (Take)
2. Reducing (Treat)
3. Avoiding (Terminate)
4. Sharing (Transfer)
11
Objectives
• Risk Factors
Risk Matrix • Risk Rating (Likelihood / Impact)
• Current Controls
• Acceptable Risk Rating
• Control Improvement
12
Risk Map
5 G2
E1
4 F1
B1 A7 L1
G3
C1 A2 H3
Likelihood 3 A5
G5
I2
C2
A1
A4
J1
C4
I3
K1
2 B5
E2
C3
1 2 3 4 5 Impact
13
14
IT Governance – The definition
Resource Management
IT Governance
focus on
• IT Value
Delivery
• Managing
Risks
Page 16
Critical mission for IT & Business Alignment
Page 17
IT Value Delivery
Page 18
Risk Management
Page 19
Performance Measurement
22/11/07
Page 20
Page 21
Overview
Page 22
Product Family
Page 23
COBIT 5 is base on 5 principles Customized benefits
realization & optimize
risks All functions
(Goals cascade) and
Clear Distinction
between Governance & processes
management (not only IT)
Page 24
Principle 1 – Meeting Stakeholder Needs (Cont)
Page 25
Page 26
Principle 2 – Covering the Enterprise
Page 27
Principle 3 – A Single Integrated Framework
Page 28
Principle 4 – A Holistic Approach
Page 29
Principle 5 - Separate Governance from Management
- Governance
Governance ensures that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to be
achieved; setting direction through prioritization and decision making; and
monitoring performance and compliance against agreed-on direction and
objectives.
- Management
Management plans, builds, runs and monitors activities in alignment with
the direction set by the governance body to achieve the enterprise
objectives.
Page 30
Enabling Process
Page 31
COBIT 5 – Process Reference Model
Evaluate, Direct and Monitor
EDM01 Ensure EDM02 Ensure EDM03 Ensure EDM04 Ensure EDM05 Ensure
Governance Benefits Delivery Risk Optimisation Resource Stakeholder
Framework Setting Optimisation Transparency
and Maintenance
MEA03 Monitor,
Evaluate and Assess
Deliver, Service and Support Compliance with
External
DSS01 Manage DSS02 Manage DSS03 Manage DSS04 Manage DSS05 Manage DSS06 Manage Requirements
Operations Service Requests Problems Continuity Security Services Business Process
and Incidents Controls
Page 32
COBIT 5 – Process Reference Model
Details of Each process
Process Description
Activities
Related Standards
Page 33
IT Controls
34
Component of IT Controls
35
Component of IT Controls
Control Environment
ITGC App Control
Data Data
Files Files
36
Controls Environment
37
Controls Environment
38
IT General Controls (ITGC)
39
IT General Control (ITGC)
40
IT General Controls (ITGC)
41
System Development &
Changes
42
Who should be involve ?
• Senior management
• User management & staff
• IT management & staff
• Auditors (?)
• Project Manager
• Project Owner
• Project Sponsor
43
Type of System Development
• In-House Development
• Purchase Commercial Software
• Considerations
• Implementation time
• Cost
• Reliability
• Independence Future Concern
• Customisation
• Maintenance
44
Systems Development Today
45
Risks and Controls
WHAT MANAGEMENT NEEDS TO KNOW
Are we building
the right product?
Are we building
the product right?
46
Systems Development
Phase Control Objective
Initiation • Project objectives
have been clearly
defined, documented
and communicated.
• Organizational
structure, and
reporting mechanism
are properly defined.
47
Auditing Systems Development
Phase Control Objective
Analysis Business and control
requirements are
clearly defined and
documented.
Requirements are
consistent with
objectives.
48
Auditing Systems Development
Phase Control Objective
50
Auditing Systems Development
Phase Control Objective
51
System Implementation
• Direct cutover
• Parallel Implementation
• Pilot Implementation
• Phase (module) implementation
System Documentation
• System Manual
• Operation Manual
• User Manual
• User Procedural
52
System Changes
53
General Controls - System Change
Background
Controls must cover
• Request/Approve
• Feasibility Studies
• Design/Construction
• Testing
• Programs Transfers
• Parallel Testing
• System Documentation
Disaster Recovery Plan
The Hamburger Model
Fire, Flood,
Storm, Bomb H R E A T
Power and Equipment Massive disruption to
S
T
Failures, Computer business operations,
system breakdown Your Business Adverse media coverage,
Poor image,
Access Controls,
Shield
Customer confidence,
Hazard detection & Financial loss
prevention, Redundancy, Impact
Backup
Emergency Response
BUSINESS
Evacuate, Medical, CONTINUITY
Public relation, PLAN
Emergency funds Safety Net
DISASTER
RECOVERY
PLAN
What is the right approach
and/or solutions?
Risk Analysis
Business Continuity Plan
• Confidentiality
• Integrity
• Availability
Password Controls -
Minimum length, e.g. 8 characters
Alphanumeric plus special characters
Expire every certain days, e.g. 120 days
Non-repeatable, e.g. last 10 usages
Not easily guess password, e.g. non-dictionary words
Non-sharing
Suspense after certain numbers of invalid sign-on attempts
Non-display during log-in
How well do crackers crack
password?
Security
Access
Accounting
Control
(A/P) System
Database/
Files/Tables
Introduction to OS (cont)
Authentication
• Identify and confirmation of individual using pre-defined
Access data stored in the systems
• Types of Authentication
- Knowledge
- Possession
- Characteristic
Introduction to OS (cont)
Authorisation
• Check individual authorisation before allow access to
specific computer resources (e.g. data file, program,
command, devices, communication capabilities, etc.)
• Individual rights & Resources protection
• Best practice - allow access on a “need-to-use” basis only
Introduction to OS (cont)
Audit Logging
• Recording critical activities, such as privilege ID’s, Critical
process, data, utilities usages, security events.
• Reviews and Log Maintenance
DATABASE
Flat File vs Database
Database
DBMS
Acct Finance
customer
invoices
Receipts
DBMS
Query 1 Query 2
<footer> Date
Page 76
Database Model
Database
Administrator
System
Development
Applications
DBMS
Trans User
Program Data
Host
Definition
Operating
Trans Language
Users
User System
Program Data
Trans Manipulation
User Language
Program
Trans
Query Physical
User
Language
Program Database
<footer> Date
Page 77
Computer Network
Network Components
• Public Network
• Private Network
• Virtual Private Network
Network Controls
Date <footer>
Page 82
Network Equipment - Firewall
Controls
• OS Controls
• Firewall Admin restrictions
• RuleBase Setting
Date <footer>
Page 83
Application
Controls
Application Controls
Background
• Specific to applications, and independence from other
applications
• Address completeness, accuracy, validity and
authorization of data being processed by the system
• Controls can be “automated” or “manual” and can be
“preventive”, “detective” or “corrective”
• Automated Processing
• Level of control is depending on level of business risk
Application Controls
Risks
• Application functions may not be adequately segregated
• Users may have excess system authorities
• Transactions may be entered incorrectly, incompletely,
more than once, or not timely.
• Transactions may be processed incorrectly, incompletely,
more than once, or not timely.
• Outputs may not be properly and safely used.
Application Controls
Background
1. Access to application functions (Segregation of duties
within application)
2. Input Controls (incl. Reject/Suspend inputs, Interfaces)
1. Planning & Design
2. Edit/Validate by the system,
3. Procedures to review accuracy and completeness of
input
3. Processing Controls
4. Output Controls (Usage & confidentiality)
88
Audit the Application Controls
Audit the General Controls
Computer Environment
Computer Center Application
Application
Data Data
Files Files
90
RISK BASE AUDIT APPROACH
Risk Controls Audit
Advice for
Uncontrolled Improvement /
Risks
Substantive Test
91
92
Auditing Process
Strategic Assignment
Execution Reporting Follow-Up
Planning Planning
93
Auditing Process
Strategic Assignment
Execution Reporting Follow-Up
Planning Planning
Business Objectives
Define Weight of Objectives
Define Auditable Areas
Define Risk Factors
Risk Assessment
Assessment
Define Audit Approach
Prioritise
Identify Resources
Audit Schedule
Walk-Through Testing
Identify Risks
Risk/Control Analysis
Risks vs Control Procedures
Identify Key Controls
Allocate Staff
95
Computer Assisted Audit Technique
(CAAT)
Audit the Application Controls
Audit the General Controls
Computer Environment
Computer Center Application
Application
Data Data
Files Files
98
CAAT Considerations
• Mix of Computer and Manual Tests
• Computer Knowledge, Expertise and Experience of the
Auditor
• Reliability of General Computer Controls
• Availability of CAATs and Suitable Facilities
• Impracticability of Manual Audit Procedures
• Effectiveness and Efficiency of the Testing
• Development Time
99
CAAT Objectives
• Detailed testing of transactions, data, and
processes where efficiency and effectiveness
can be gained, or in case where manual
testing is not possible or feasible, including
• Testing of Accuracy & Completeness of
Processes
• Analysis and test of data
• Fraud analysis & Evidence collection
100
Parallel Simulation
Application Report
Process
1
COMPARE
2 5
Download
3 Develop
CAAT Program Report
Run CAAT
Removable storage
Program
4 101
Test Data Approach / Test
Transactions
Application
Program Report
1
COPY
CAAT Data
2
Prepare Copied
COMPARE
CAAT Data
Removable storage
Program Report
4
3
Manual
Calculation Report
102
CAAT Steps
1 2 3 4 5 6
Determine Define Determine Arrange Perform Summarise
if CAAT is Audit Required For data Analysis & &
Appropriate ? Objectives Data Download Testing Document
103
CAAT Steps
1 2 3 4 5 6
Determine Define Determine Arrange Perform Summarise
if CAAT is Audit Required For data Analysis & &
Appropriate ? Objectives Data Download Testing Document
Mathematics
Validity (exception
Accuracy
testing &
duplicates)
Analytical
Review
Cut-off
Completeness
(gaps)
104
CAAT Steps
1 2 3 4 5 6
Determine Define Determine Arrange Perform Summarise
if CAAT is Audit Required For data Analysis & &
Appropriate ? Objectives Data Download Testing Document
105
Audit Software
106
107
Control quadrant: Cost
vs. flexibility
High *
flexibility
Manual Real-time
detective detective
controls controls
High Low
cost cost
Manual Automated
preventive preventive
controls controls
Low
flexibility
PwC 108
Continuous auditing overview
Continuous Monitoring
Includes the processes that
management puts in place
to ensure that the policies,
procedures, and business
processes are operating
effectively.
Performed by
operational/financial
management
Technology as an enabler 110
Internal Audit Process Framework – as is
Fieldwork
ANNUAL Technology is being
applied here (in
Risk Audit Plan audit management Reporting Wrap-Up
Assessment and data analysis),
to speed up audit
process…
How CM/CA should be developed.
Identify key risks
Indicators
1 Planning 2 Risk Assessment Data require for
analysis
Choose the right
area/business
process
Acquire &
3 Prepare
4 Analyze
Source Systems
Extractor Data
Billing
HR Process
Approvals GL Analytics
ERP
Custom Transa Accounts
ctions