Chapter7PPT4thedition.pptxInternal Auditing: Assurance & Advisory Services Chapter 7 – Information Technology Risk and Controls
4th edition
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Information Technology Risk and Controls
Chapter 7
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 7: Information Technology Risk and Controls
Learning objectives
Understand how IT is intertwined with business objectives, strategies, and operations.
Describe the key components of modern information systems.
Explain the nature of IT opportunities and risks.
Understand fundamental IT governance, risk management, and control concepts.
Understand the implications of IT for internal auditors .
Describe the skills and IT talents required for internal auditors for the future.
Identify sources of IT audit guidance.
Describe the top 10 technology risks.
Explain why cybersecurity is one of the most significant risks to the organization.
Understand the implications the introduction of new technology has on the business environment.
Understand how internal audit can provide guidance during IT projects.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 7: Information Technology Risks and Controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 7: Information Technology Risks and Controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
6
Chapter 7: Information Technology Risks and Controls
Preventive controls prevent errors, omissions, or security incidents from occurring. Examples include antivirus software, firewalls, and intrusion prevention systems.
Detective controls detect errors or incidents that elude preventive controls. For example, a detective control may identify account numbers of inactive accounts or accounts that have been flagged for monitoring of suspicious activities.
Corrective controls correct errors, omissions, or incidents once they have been detected. They vary from simple correction of data-entry errors, to recovery from incidents, disruptions, or disasters.
General controls (also known as infrastructure controls) apply to all systems components, processes, and data for a given organization or systems environment. General controls include, but are not limited to: information security policy, administration, access, and authentication; backup, recovery, and business continuity.
Application controls pertain to the scope of individual business processes or application systems. They include such controls as data edits, transaction logging, and error reporting.
Technology controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
7
By the area IT control resides, it can be classified as general control or application control.
General controls (also known as infrastructure controls) apply to all systems components, processes, and data for a given organization or systems environment. General controls include, but are not limited to: information security policy, administration, access, and authentication; backup, recovery, and business continuity.
Application controls pertain to the scope of individual business processes or application systems. They include such controls as data edits, transaction logging, and error reporting.
The function of a control is highly relevant to the assessment of its design and effectiveness. Controls may be classified as preventive, detective, or corrective.
Preventive controls prevent errors, omissions, or security incidents from occurring. Examples include antivirus software, firewalls, and intrusion prevention systems.
Detective controls detect errors or incidents that elude preventive controls. For example, a detective control may identify account numbers of inactive accounts or accounts that have been flagged for monitoring of suspicious activities.
Corrective controls correct errors, omissions, or incidents once they have been detected. They vary from simple correction of data-entry errors,, to recovery from incidents, disruptions, or disasters.
Another common classification of controls is by the group responsible for ensuring they are properly implemented and maintained. For the purpose of assessing roles and responsibilities, this guide primarily categorizes IT controls as governance, management, and technical.
Chapter 7: Information Technology Risks and Controls
8
Monitoring:
Monthly metrics from Technology Performance
Technology Cost and Control performance analysis
Periodic Technology management assessments
Internal audit of technology enterprise
Internal audit of high risk areas
Control Activities:
Review Board for Change Management
Comparison of technology initiatives to plan and ROI
Documentation and approval of IT plans and systems architecture
Compliance with Information and Physical Security Standards
Adherence to Business Continuity Risk Assessment
Technology standards compliance enforcement
Risk Assessment:
IT risks included in overall corporate risk assessment
IT integrated into Business Risk Assessments
Differentiate IT controls for high risk business areas/functions
IT Internal audit assessment
IT Insurance assessment
Control Environment:
Tone from the Top – IT and Security Controls Considered Important
Overall Technology Policy and Information Security Policy
Corporate Technology Governance Committee
Technology Architecture and Standards Committee
Full Representation of All Business Units
Information & Communication:
Periodic corporate communications (intranet, e-mail, meetings, mailings)
Ongoing technology awareness of best practices
IT performance survey
IT and security training
Help desk ongoing issue resolution
MONITORING
INFORMATION AND
COMMUNICATION
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
Coso model for
Technology controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
8
Chapter 7: Information Technology Risks and Controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 7: Information Technology Risks and Controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 7: Information Technology Risks and Controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Chapter 7: Information Technology Risks and Controls
12
GTAG: IT Controls
(Published in Mar 2005)
2nd EDITION MARCH 2012
GTAG: Change and Patch Management Controls
(Published in June 2005)
2nd EDITION MARCH 2012
GTAG: Continuous Auditing
(Published in Oct 2005)
Update Coming Soon
GTAG: Management of IT Auditing
(Published in Mar 2006)
2nd EDITION January 2013
GTAG: Information
Technology Outsourcing
(Published in Mar 2007)
GTAG: Auditing Application Controls
(Published in July 2007)
17 GTAGs published
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
12
Chapter 7: Information Technology Risks and Controls
17 GTAGs published
13
GTAG: Business
Continuity Management
(Published in July 2008)
(Updated August 2014)
GTAG: Developing the IT Audit Plan
(Published in July 2008)
GTAG: Auditing IT Projects
(Published in March 2009)
GTAG: Fraud Detection
and Prevention in an
Automated World
(Published in December 2009)
GTAG: Auditing User Developed Applications
(Published in June 2010)
GTAG: Identity and Access Management
(Published in July 2007)
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
13
Chapter 7: Information Technology Risks and Controls
17 GTAGS published
14
GTAG: Information
Security Governance
(Published in July 2010)
GTAG: Data Analysis Technologies
(Published in August 2011)
GTAG: Auditing IT Governance (Published in July 2012)
GTAG: Auditing Smart Devices (August 2016)
GTAG: Assessing Cybersecurity Risk (September 2016)
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
14
Chapter 7: Information Technology Risks and Controls
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
Internal Auditing: Assurance & Advisory Services, 4th Edition © 2017 by the Internal Audit Foundation.
