IT

Risk, Control &

Audit

1
 Audit the Application Controls
Audit the General Controls

Computer Environment
Computer Center Application

Application

Data Data
Files Files

Using Tools to Audit the Information

2
 Values and Challenges

• Increase Productivity
• Providing of New Services
• Competitive Advantage
• Better Decision Making
• Improve Company Image

• Complexity of Controls
• Increase Reliance on System
• Increase Risks
• Lack of Technical Personnel

3
Impacts of IT on Internal Control & Audit
• Transaction Trails
• Uniform processing of transactions
• Segregation of functions
• Potential for errors and frauds
• Potential for increase management
supervision
• Initiation or subsequent execution of
transactions by computers
• Dependence of other controls

4
5
Risks

Definitions

Risk is anything that may have an impact on

organisation’s ability to achieve its objectives.

6
Risk Management Process

IT objectives should be
define in such a way that
All steps would be inline with business
monitored to ensure objectives. 7 IT objectives
that risk and could be used as a basis.
response are align at Understand
all time Objectives

Monitoring
Anything that can affect
Identify ability to achieve above
Risks objectives.

People, Process and

Technology
Response
To Risks Assess
Risks
If RESIDUAL risk is
still exceed
LIKELIHOOD of occurrence
ACCEPTABLE risk,
and IMPACT to objective
additional risk
would be assess at both
response should be
INHERENT and RESIDUAL
implemented.
level.
7
IT Objectives

8
IT Identification

2. Risk Identification
People, Process & Technology
• System design (input,
Internal & External process & output)
Hazard, Uncertainty & Opportunity
• Hackers &
Root Cause Unauthorised access

• Poor authority granting

procedures

• Poor management • Security management • System & network design

(planning & policy) (policy & procedure)
• Hardware fails
• System (H/W & • System (H/W &
Technology Technology & network) • External sabotage

• Viruses & Attack • Unaware or not

• Skills of IT and non-IT • User awareness
understand rules and
• Processing management • Hackers, Viruses • No BCP, backup & regulations
(design & executions) recovery
• No monitoring

9
Risk Definition

Acceptable Risk (Risk Appetite)

Inherent Risk
Residual Risk

10
Risk Response

1. Accepting (Take)
2. Reducing (Treat)
3. Avoiding (Terminate)
4. Sharing (Transfer)

Using CobiT can be used as a guideline of risk treatment

11
 Objectives
• Risk Factors
Risk Matrix • Risk Rating (Likelihood / Impact)
• Current Controls
• Acceptable Risk Rating
• Control Improvement

Risk Factors Rating Current Controls Rating Control Improvements

L I L I

12
Risk Map

5 G2

E1
4 F1

B1 A7 L1
G3
C1 A2 H3

Likelihood 3 A5
G5
I2
C2
A1
A4
J1
C4

I3
K1
2 B5
E2
C3

1 2 3 4 5 Impact
13
14
IT Governance – The definition

“A structure of relationships and processes to direct

and control the enterprise in order to achieve the
enterprise’s goals by adding value while balancing
risk versus return over IT and its processes.”

The relationships are between management and its

governing body.

The processes cover:

-- setting objectives
-- giving direction on how to attain them
-- measuring performance
22/11/07
Page 15
IT Governance components

Resource Management

IT Governance
focus on

• IT Value
Delivery

• Managing
Risks

Page 16
Critical mission for IT & Business Alignment

• Ensure that board members and other senior managers are

continuously educated in IT.
• Ensure that IT leadership and key IT managers are given
resources (especially time) to help them fully understand the
business, its industry and its markets.
• Ensure that IT is a regular item on the board agenda, not just
annually as part of the budgeting process.
• Embed the IT planning (three years of plan and budget)
process into the enterprise strategic planning process.
• Establish an appropriate IT-related committee structures

Page 17
IT Value Delivery

• What are the values that IT will deliver to an

organisation
• Increasing in productivity
• Providing new services
• Competitive advantages
• Better image
• How the values will be delivered.
• In line with business requirements
• Flexible for future needs
• Ease of use, durable and safe

Page 18
Risk Management

• Establish IT risk assessment process

• Continuously assess IT risks
• Define clear roles and responsibilities
• Regular report on risks
• Embedded risk management in IT
processes

Page 19
Performance Measurement

22/11/07
Page 20
Page 21
Overview

Page 22
Product Family

Page 23
COBIT 5 is base on 5 principles Customized benefits
realization & optimize
risks All functions
(Goals cascade) and
Clear Distinction
between Governance & processes
management (not only IT)

Taken into account

several interacting
components Align with other
(7 enablers) standards & Frameworks

(at high level)

Page 24
Principle 1 – Meeting Stakeholder Needs (Cont)

Page 25
Page 26
Principle 2 – Covering the Enterprise

Page 27
Principle 3 – A Single Integrated Framework

Page 28
Principle 4 – A Holistic Approach

Page 29
Principle 5 - Separate Governance from Management

- Governance
Governance ensures that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to be
achieved; setting direction through prioritization and decision making; and
monitoring performance and compliance against agreed-on direction and
objectives.

- Management
Management plans, builds, runs and monitors activities in alignment with
the direction set by the governance body to achieve the enterprise
objectives.

Page 30
Enabling Process

Page 31
COBIT 5 – Process Reference Model
Evaluate, Direct and Monitor
EDM01 Ensure EDM02 Ensure EDM03 Ensure EDM04 Ensure EDM05 Ensure
Governance Benefits Delivery Risk Optimisation Resource Stakeholder
Framework Setting Optimisation Transparency
and Maintenance

Align, Plan and Organise Monitor, Evaluate

APO01 Manage APO02 Manage APO03 Manage APO04 Manage APO05 Manage APO06 Manage APO07 Manage
and Assess
the IT Management Strategy Enterprise Innovation Portfolio Budget and Costs Human Resources
Framework Architecture
MEA01 Monitor,
APO08 Manage APO09 Manage APO10 Manage APO11 Manage APO12 Manage APO13 Manage Evaluate and Assess
Relationships Service Suppliers Quality Risk Security Performance and
Agreements Conformance

Build, Acquire and Implement

BAI01 Manage BAI02 Manage BAI03 Manage BAI04 Manage BAI05 Manage BAI06 Manage BAI07 Manage MEA02 Monitor,
Programs and Requirements Solutions Availability and Organisational Changes Change Evaluate and Assess
Projects Definition Identification and Capacity Change Acceptance and the System of
Build Enablement Transitioning Internal Control
BAI08 Manage BAI09 Manage BAI10 Manage
Knowledge Assets Configuration

MEA03 Monitor,
Evaluate and Assess
Deliver, Service and Support Compliance with
External
DSS01 Manage DSS02 Manage DSS03 Manage DSS04 Manage DSS05 Manage DSS06 Manage Requirements
Operations Service Requests Problems Continuity Security Services Business Process
and Incidents Controls

Page 32
COBIT 5 – Process Reference Model
Details of Each process

Process Description

Process Purpose Statement

IT Related Goals Related Metrics

Process Goals Related Metrics

Key Management Practice RACI Chart

Management Practice Inputs Outputs

Activities

Related Standards
Page 33
IT Controls

34
Component of IT Controls

• IT Control Environment (Entity Level Control)

• IT General Control
• IT Application Control

35
Component of IT Controls

Control Environment
ITGC App Control

Data Data
Files Files

36
Controls Environment

• IT Policies & Procedures

• IT Organisation Structures (Roles & Responsibilities)
• Human Resource Management
• Tone at the Top
• Culture

37
Controls Environment

IT Policies & Procedures

• IT usage policy
• IT security policy
• System development policy
• System development and change procedures
• Security Administration procedure
• IT Operation procedure & manual

38
IT General Controls (ITGC)

39
IT General Control (ITGC)

• is a foundation to the overall control of the IT environment

• is mainly responsible by IT management, and mostly within the
IT department
• COBIT is a good collection of all ITGC.

40
IT General Controls (ITGC)

• System development & changes

• Operation
• Disaster recovery plan
• Security Management

41
System Development &
Changes

42
Who should be involve ?

• Senior management
• User management & staff
• IT management & staff
• Auditors (?)
• Project Manager
• Project Owner
• Project Sponsor

43
Type of System Development

• In-House Development
• Purchase Commercial Software
• Considerations
• Implementation time
• Cost
• Reliability
• Independence Future Concern
• Customisation
• Maintenance

44
Systems Development Today

45
Risks and Controls
WHAT MANAGEMENT NEEDS TO KNOW

Are we building
the right product?

Are we building
the product right?

46
 Systems Development
Phase Control Objective
Initiation • Project objectives
have been clearly
defined, documented
and communicated.
• Organizational
structure, and
reporting mechanism
are properly defined.
47
 Auditing Systems Development
Phase Control Objective
Analysis Business and control
requirements are
clearly defined and
documented.
Requirements are
consistent with
objectives.

48
 Auditing Systems Development
Phase Control Objective

Design •Design incorporates

business requirements
•Design incorporates control
requirements
•Design incorporates audit
requirements
•Auditor requirements
- embedded audit routines
- exception reports
49
 Auditing Systems Development
Phase Control Objective
Construction New system is adequately
tested
- Comprehensive test plan
- Business user involvement
- IS involvement
- Audit involvement
- Documenting test results

All requirements are tested

50
 Auditing Systems Development
Phase Control Objective

Implementation •Critical operational controls

have been implemented
•Business user approval
•System is migrated via a
protected environment
•System performs as designed
•Original business requirements
are satisfied.

51
System Implementation
• Direct cutover
• Parallel Implementation
• Pilot Implementation
• Phase (module) implementation

System Documentation

• System Manual
• Operation Manual
• User Manual
• User Procedural

52
System Changes

53
General Controls - System Change

Background
Controls must cover
• Request/Approve
• Feasibility Studies
• Design/Construction
• Testing
• Programs Transfers
• Parallel Testing
• System Documentation
Disaster Recovery Plan
The Hamburger Model

Fire, Flood,
Storm, Bomb H R E A T
Power and Equipment Massive disruption to

S
T
Failures, Computer business operations,
system breakdown Your Business Adverse media coverage,
Poor image,
Access Controls,
Shield
Customer confidence,
Hazard detection & Financial loss
prevention, Redundancy, Impact

Backup
Emergency Response

BUSINESS
Evacuate, Medical, CONTINUITY
Public relation, PLAN
Emergency funds Safety Net

DISASTER
RECOVERY
PLAN
What is the right approach
and/or solutions?
Risk Analysis
Business Continuity Plan

• AN INTEGRATED SET OF PROCEDURES AND

RESOURCE INFORMATION THAT IS USED TO
RECOVER FROM AN EVENT THAT HAS
CAUSED A DISRUPTION TO BUSINESS
OPERATIONS.

• IT ANSWERS THE NEWSPAPER QUESTIONS:

• WHO, WHAT, WHEN, WHERE, WHY, HOW
IT Operation
IT Operation comprises
•Turn on/off systems
•Monitor usage
•Problems/incidents handling
•Batch processing
•Backup/Restore
•Report printing & distribution
IT Operation controls
•Steps are clearly defined.
•Adequate training
•Supervision
System Security
Background
Security
• Security can be broadly defined as the control structure
established to manage:

• Confidentiality
• Integrity
• Availability

• of IS data and resources.

Background
Security

Effective security includes:

• Management and administration
• Logical security
• Physical security
Security

Controls - Security Policy

• Policy is also legal and human resources
document and should be handled accordingly.

• All users should sign indicating understanding

and agreement to comply with security policy.

• All users should periodically verify (typically

annually) continued understanding and
compliance with security policy.
Security

Password Controls -
Minimum length, e.g. 8 characters
Alphanumeric plus special characters
Expire every certain days, e.g. 120 days
Non-repeatable, e.g. last 10 usages
Not easily guess password, e.g. non-dictionary words
Non-sharing
Suspense after certain numbers of invalid sign-on attempts
Non-display during log-in
How well do crackers crack
password?
Security

Controls - Physical Security

Typically involves:
• Physical access to hardware, software, and data
• Fire prevention, detection, and control
• Environmental hazard prevention, detection, and
control

Safety of employees and personnel on-site must be first

concern.
Security

Controls - Logical Security

Software-based controls that allow:
• Identification of individual users of IS data and
resources
• Restrict of access to specific data or resources
• Generation of audit trails of system and user activity
 Access Control
Access
Sales
Control
(A/P) System

Access Control (O/S)

Access Control (O/S)

Access
Accounting
Control
(A/P) System

Database/
Files/Tables
Introduction to OS (cont)

Access Control Program

• Authentication
• Authorization
• Audit Logging
Introduction to OS (cont)

Authentication
• Identify and confirmation of individual using pre-defined
Access data stored in the systems
• Types of Authentication
- Knowledge
- Possession
- Characteristic
Introduction to OS (cont)

Authorisation
• Check individual authorisation before allow access to
specific computer resources (e.g. data file, program,
command, devices, communication capabilities, etc.)
• Individual rights & Resources protection
• Best practice - allow access on a “need-to-use” basis only
Introduction to OS (cont)

Audit Logging
• Recording critical activities, such as privilege ID’s, Critical
process, data, utilities usages, security events.
• Reviews and Log Maintenance
DATABASE
 Flat File vs Database

Database
DBMS
Acct Finance
customer

invoices
Receipts

Mkt Products Prod

DBMS
Query 1 Query 2
<footer> Date
Page 76
Database Model

Database
Administrator
System
Development

Applications
DBMS
Trans User
Program Data
Host
Definition
Operating
Trans Language
Users

User System
Program Data
Trans Manipulation
User Language
Program
Trans
Query Physical
User
Language
Program Database

<footer> Date
Page 77
Computer Network
Network Components

• Computer Servers/Desktops (with network

communication hardware)
• Cable/wire/wireless
• Network Equipment
• Router
• Firewall
• Bridge
• Repeater
• Protocol
Network Terminology

• Public Network
• Private Network
• Virtual Private Network
Network Controls

• Network Design (Zoning & Segmentation)

• Network Equipment placement and setting
• Network security software
• Others
Network Zoning

Date <footer>
Page 82
Network Equipment - Firewall

Controls
• OS Controls
• Firewall Admin restrictions
• RuleBase Setting

Date <footer>
Page 83
Application
Controls
Application Controls

Background
• Specific to applications, and independence from other
applications
• Address completeness, accuracy, validity and
authorization of data being processed by the system
• Controls can be “automated” or “manual” and can be
“preventive”, “detective” or “corrective”
• Automated Processing
• Level of control is depending on level of business risk
Application Controls

Risks
• Application functions may not be adequately segregated
• Users may have excess system authorities
• Transactions may be entered incorrectly, incompletely,
more than once, or not timely.
• Transactions may be processed incorrectly, incompletely,
more than once, or not timely.
• Outputs may not be properly and safely used.
Application Controls

Background
1. Access to application functions (Segregation of duties
within application)
2. Input Controls (incl. Reject/Suspend inputs, Interfaces)
1. Planning & Design
2. Edit/Validate by the system,
3. Procedures to review accuracy and completeness of
input
3. Processing Controls
4. Output Controls (Usage & confidentiality)
88
 Audit the Application Controls
Audit the General Controls

Computer Environment
Computer Center Application

Application

Data Data
Files Files

Using Tools to Audit the Information 89

IT Auditing Areas

90
 RISK BASE AUDIT APPROACH
Risk Controls Audit

Controlled Internal Test

Risks Controls Efficiency
of controls

Advice for
Uncontrolled Improvement /
Risks
Substantive Test
91
92
 Auditing Process
Strategic Assignment
Execution Reporting Follow-Up
Planning Planning

93
 Auditing Process
Strategic Assignment
Execution Reporting Follow-Up
Planning Planning

Business Objectives
Define Weight of Objectives
Define Auditable Areas
Define Risk Factors
Risk Assessment
Assessment
Define Audit Approach
Prioritise
Identify Resources

Audit Schedule

Audit Strategic Plan

94
 Auditing Process
Strategic Assignment
Execution Reporting Follow-Up
Planning Planning

Obtain Understandings System Documentation

Walk-Through Testing
Identify Risks
Risk/Control Analysis
Risks vs Control Procedures
Identify Key Controls

Prepare Audit Programs Procedures vs Audit Instructions

Allocate Staff

95
Computer Assisted Audit Technique
(CAAT)
 Audit the Application Controls
Audit the General Controls

Computer Environment
Computer Center Application

Application

Data Data
Files Files

Using Tools to Audit the Information 97

 Nature of CAAT
• Who should be responsible for
CAAT ?
• Ideally, general auditor should be
responsible for all steps.
• In reality, computer auditor play a
supporting roles.

98
 CAAT Considerations
• Mix of Computer and Manual Tests
• Computer Knowledge, Expertise and Experience of the
Auditor
• Reliability of General Computer Controls
• Availability of CAATs and Suitable Facilities
• Impracticability of Manual Audit Procedures
• Effectiveness and Efficiency of the Testing
• Development Time

99
 CAAT Objectives
• Detailed testing of transactions, data, and
processes where efficiency and effectiveness
can be gained, or in case where manual
testing is not possible or feasible, including
• Testing of Accuracy & Completeness of
Processes
• Analysis and test of data
• Fraud analysis & Evidence collection

100
 Parallel Simulation

Application Report
Process
1

COMPARE
2 5
Download
3 Develop
CAAT Program Report

Run CAAT
Removable storage

Program
4 101
 Test Data Approach / Test
Transactions

Application
Program Report

1
COPY
CAAT Data
2
Prepare Copied

COMPARE
CAAT Data
Removable storage
Program Report

4
3
Manual
Calculation Report
102
 CAAT Steps
1 2 3 4 5 6
Determine Define Determine Arrange Perform Summarise
if CAAT is Audit Required For data Analysis & &
Appropriate ? Objectives Data Download Testing Document

103
CAAT Steps
1 2 3 4 5 6
Determine Define Determine Arrange Perform Summarise
if CAAT is Audit Required For data Analysis & &
Appropriate ? Objectives Data Download Testing Document

Audit objectives should link to business risks or audit risks

Auditor require an understanding of the system
Consult with system development group before finalize

Mathematics
Validity (exception
Accuracy
testing &
duplicates)
Analytical
Review
Cut-off
Completeness
(gaps)
104
CAAT Steps
1 2 3 4 5 6
Determine Define Determine Arrange Perform Summarise
if CAAT is Audit Required For data Analysis & &
Appropriate ? Objectives Data Download Testing Document

Understand business process and conditions

Field and record conditions
Understand calculation formula and methods
Conceptual designing of the testing
Build & Test
Actual analysis & testing

105
 Audit Software

• Generalised Audit Software

• Specialised Audit Software
• Report Writer Utilities / Query Language
• Micro Computer Applications

106
107
 Control quadrant: Cost
vs. flexibility
High *
flexibility

Manual Real-time
detective detective
controls controls
High Low
cost cost

Manual Automated
preventive preventive
controls controls

Low
flexibility

PwC 108
 Continuous auditing overview

Continuous Controls Monitoring Continuous Auditing

Continuous Assurance
Combination of continuous auditing
and audit oversight of continuous
monitoring
Includes monitoring, assessing
and mitigating risk associated
with operations, finance, fraud,
automatically and on a more
frequent basis.
Performed by Internal Audit or
Controls Dept.

Continuous Monitoring
Includes the processes that
management puts in place
to ensure that the policies,
procedures, and business
processes are operating
effectively.
Performed by
operational/financial
management
 Technology as an enabler 110
Internal Audit Process Framework – as is

Fieldwork
ANNUAL Technology is being
applied here (in
Risk Audit Plan audit management Reporting Wrap-Up
Assessment and data analysis),
to speed up audit
process…
 How CM/CA should be developed.
Identify key risks
 Indicators 
1 Planning 2 Risk Assessment Data require for
analysis
Choose the right
area/business
process
Acquire &
3 Prepare
4 Analyze
Source Systems
Extractor Data

Billing
HR Process
Approvals GL Analytics

ERP
Custom Transa Accounts
ctions

Manage & Analytics

5 Report Workbench
112