Escolar Documentos
Profissional Documentos
Cultura Documentos
What is
Risk?
Definition Risk
What is
Risk?
Risks
Threats
Objectives
Opportunit
ies
Impact
High Medium
Low
What is
IS Risk?
Definition of IS Risk
Understanding IS Risk
In evaluating IT related business
process, understanding the
relationship between risk and control
is important. Therefore business:
Must be able to identify and
differentiate risk types and the
control used to mitigate these
risk.
Must have knowledge of
common business risk, related
technology risks and relevant
controls.
Must be able to evaluate the risk
assessment and management
technique used by business
manager.
Understanding IS Risk
Examples of IT risks
technical failure of computer servers
failure in system implementation
human error in input of data
communication infrastructure failure
physical threat and theft
electronic & malicious threats (e.g. hacking)
and others
Security
Incident in
2014
DISCUSSION
Is there any impact to financial reporting?
2. Information System
Characteristics impact to Audit
Information
System
Characteristics
A. Lack of transaction
trails
E. Automated
transactions execution
B. Uniformity of
processing
F. Dependence of
other controls
C. Lack of
segregation of duties
G. Potential for
increased supervision
Inherent risk
A. Lack of Transaction Trails
B. Uniformity of Processing
D. Potential for Errors and
Irregularities
E. Initiation and Execution
of Transactions
control risk
C. Lack of Segregation
of Functions
F. Dependence of Other
Controls
detection risk
What is
Internal
Control?
What is
Internal
Control?
Relationship of
Risk and
Control
ICoFR is a process designed by, or under the supervision of, the company's principal executive & principal
financial officers, and effected by the company's BoD, management, and other personnel, to provide
reasonable assurance regarding the reliability of financial reporting and the preparation of financial
statements for external purposes in accordance with GAAP and includes those policies and procedures that:
Relationship of Risk
and Control
pertain to the
maintenance of records
that in reasonable detail
accurately and fairly
reflect transactions &
dispositions of assets.
Control Activities
Risk Assessment
Control Environment
ACTIVITY 2
ACTIVITY 1
DIVISION
ENTITY LEVEL
Monitoring
What is
Internal
Control?
IS Control
Objectives
Safeguarding of assets
Assuring integrity of general operating system
environments
Assuring the integrity of sensitive and critical application
system environments through:
Authorization of the input
Accuracy and completeness of processing of
transactions
Accuracy, completeness and security of the output
Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies and procedures,
and applicable laws
Developing business continuity and disaster recovery
plans
IT Control
Classifications
IT Control
IT Control
Financial Reports
Balance
Sheet
Income
Statement
IT
Management
Notes to FS
Management
Report
Others
Purchasin
g
Human
Resources
Others
Risk
Assessment
Control
Activities
Information
and
Communicatio
n
Monitoring
Transactional
Level & IT General
Control
Entity Level & IT
Entity Level
Control
Entity level controls, have an important, but indirect effect on the likelihood that a misstatement will be
detected or prevented on a timely basis. These controls might affect the other controls selected for
testing and the nature, timing, and extent of procedures to be performed on other controls.
Transactional level control including manual and application system control are controls to mitigate risks
in financial reporting process.
The nature, timing, and extent of ITGC correlate with the risk within IT environment, such as IT
Organization & Relationship (SOD); IT Policies & Procedures; IT Risk Assessment Plan; IT Management,
and Information security
IT General
Control
IT General
Control
IT General
Control
IT Level
Sophistication
the level of sophistication is directly
related to the proper quantity and
power of IT audit procedures. That
is, a low level would use rather
simple procedures (low-level
strength such as inquiry3 and
observation) and would be rather
limited as to the number of
procedures.
IT Entity Level
Control
IT Governance
IT Governance ensure the
alignment of IT facilities with the business
needs
and the proper management of these
facilities.
Key Risks:
IT does not support business needs
Loss of efficiency, untimely problem
solving, unsatisfied staff, no
improvements
Unwanted combination of functions
Untimely management reporting
High dependence on one/few persons
IT Governance
Key Controls needed:
Proper Planning and budgeting
Quality and quantity of staff
Segregation of duties or close supervision
Efficient use of IT
Proper Procedures and documentation
Change Management
Change Management
Also known as Program Development and Program Changes, System Development
and Acquisition, or others.
Basically, change management controls are the controls management has in place to
ensure that all changes in the IT portfolio are authorized properly and implemented
securely.
The controls would ensure that the systems or technologies were acquired with
some forethought as to their reliability and applicability to the entity, and were
tested offline diligently before becoming operational.
Change management applies to software (applications) and hardware
(infrastructure, including operating systems and networks)
Information Security
Information Security
Also known as Access Management, Logical and Physical Security, or others.
Information security relates to the inherent risk that an unauthorized party could
gain access to financial reporting applications or data and intentionally or
unintentionally create misstatements in the data.
Information Security is primarily related to two types of access: Physical Access and
Logical Access
Logical Security
Logical security involves determining who
can go where and whether they are
authorized. This means that identification
of users as well as authentication of users
is a prerequisite for any subsequent
security measures such as determining the
authority level of users.
The IT assets under logical security can
be grouped in four layers:
Networks,
Platforms (operating systems),
Databases
Applications.
Logical Security
Identification
User
Profiles
Authentication
Access
control
files
Authorization
Database
Log
Software
Library
Logical Security
Encryption
Environtmental
Alarm Control Panels
Water detectors
Handheld fire extinguishers
Manual fire alarms
Smoke detectors
Fire suppression systems
Computer room location
Regular inspection by fire department
Fireproof walls, floors and ceilings
Electrical surge protectors
Uninterruptible power supply / generator
Emergency power-off switch
Back Up and
Recovery
Backup and recovery relate to the entitys ability to recover from a critical event that
causes the loss of data and/or systems. It could be as simple as restoring a backup
of data, necessary because the network hard drive crashed and is no longer
accessible, thus requiring the entity to reconstruct its accounting records, including
those since the backup was last made. It could be a larger scope if the computer
center burns or is destroyed by a tornado, hurricane/typhoon or other storm. In that
case, the entity has to restore systems and technologies (e.g., hardware) as well as
data.
This issue is commonly referred to as business continuity planning (BCP) or disaster
recovery planning (DRP).
Key Controls:
Regular back ups, preferably daily
Safe storage of tapes, preferably in fireproof vault
and externally (offsite)
Periodic testing of restore of back up tapes
Preparation of Business Continuity Plan
Damage of
building/
equipment
hacking
disaster
Terrorism/
war
Virus/
Threat on
business
continuity
Other
busines
failure
Companies
needs Business
Continuity Plan
to continue
operations
when disaster
occurs
Continuity Response
Emergency Response
Initial response
& declare
incident
Restore key
process
Backlog
process
Third-Party IT
Providers
Third-Party IT Providers
Also known as IT Outsourcing, Vendor Management or others.
the use of third-party providers who provide some service to the user entity that is
relevant to the financial reporting transactions or processes
This issue is commonly referred to as business continuity planning (BCP) or disaster
recovery planning (DRP).
Application
Control
Application
Control
Application
Control
Application Control
Input Controls
These controls are used mainly to check the integrity of data entered into a
business application.
Example:
Users are limited to selecting a values in a pre-populated dropdown box
The system validates that a valid number is entered into a field where a
dollar amount is expected.
Processing Controls
Output Controls
These controls address what is done with the data and should compare output
results with the intended result by checking the output against the input.
Example:
Reports are complete and accurate
Application Control
Integrity Controls
Audit Trail
Segregation of Duties
Thanks!
It is not that I'm so smart. But I
stay with the questions much
longer.
Albert Einstein