DOCSLIB.ORG

Leveraging It Controls to Improve It Operating Performance

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Leveraging It Controls to Improve It Operating Performance LEVERAGING IT CONTROLS TO IMPROVE IT OPERATING PERFORMANCE By Daniel Phelps and Kurt Milne June 2008 Disclosure Copyright © 2008 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of the publisher. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The Institute of Internal Auditors’ (IIA) International Professional Practices Framework for Internal Auditing (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing. The mission of The IIARF is to expand knowledge and understanding of internal auditing by providing relevant research and educational products to advance the profession globally. The IIA and The IIARF work in partnership with researchers from around the globe who conduct valuable studies on critical issues affecting today’s business world. Much of the content presented in their final reports is a result of IIARF-funded research and prepared as a service to The Foundation and the internal audit profession. Expressed opinions, interpretations, or points of view represent a consensus of the researchers and do not necessarily reflect or represent the official position or policies of The IIA or The IIARF. ISBN 978-0-89413-625-2 08276 06/08 First Printing Leveraging IT Controls to Improve IT Operating Performance i TABLE OF CONTENTS Executive Summary .........................................................................................................................1 Foreword ..........................................................................................................................................4 Acknowledgments............................................................................................................................5 About the Authors ............................................................................................................................6 Preface..............................................................................................................................................7 Introduction ......................................................................................................................................8 Chapter 2: Study Scope ..................................................................................................................13 Chapter 3: Summary of Key Findings............................................................................................19 Chapter 4: Understanding the Impact of Foundational Controls....................................................23 Chapter 5: Application of These Findings......................................................................................37 Chapter 6: Performance Improvement Potential ............................................................................39 Appendix A: Glossary of Terms.....................................................................................................61 Appendix B: Clustering IT Organizations Based On Control Use, Performance, and Size .............................................................................................................62 Appendix C: Identifying Foundational Controls............................................................................70 Appendix D: Assessing the Impact of Process Maturity................................................................75 List of Tables Table 1 ...............................................................................................................................16 Table 2 ...............................................................................................................................18 List of Figures Figure 1 ..............................................................................................................................14 Figure 2 ..............................................................................................................................41 Figure 3 ..............................................................................................................................42 Figure 4 ..............................................................................................................................43 Figure 5 ..............................................................................................................................44 Figure 6 ..............................................................................................................................45 Figure 7 ..............................................................................................................................46 Figure 8 ..............................................................................................................................47 Figure 9 ..............................................................................................................................48 Figure 10 ............................................................................................................................49 © 2008 The Institute of Internal Auditors Research Foundation Leveraging IT Controls to Improve IT Operating Performance ii List of Figures (cont'd) Figure 11 ............................................................................................................................50 Figure 12 ............................................................................................................................51 Figure 13 ............................................................................................................................52 Figure 14 ............................................................................................................................53 Figure 15 ............................................................................................................................54 Figure 16 ............................................................................................................................55 Figure 17 ............................................................................................................................56 Figure 18 ............................................................................................................................57 Figure 19 ............................................................................................................................58 Figure 20 ............................................................................................................................63 Figure 21 ............................................................................................................................64 Figure 22 ............................................................................................................................65 Figure 23 ............................................................................................................................66 Figure 24 ............................................................................................................................67 Figure 25 ............................................................................................................................68 Figure 26 ............................................................................................................................70 Figure 27 ............................................................................................................................72 Figure 28 ............................................................................................................................75 © 2008 The Institute of Internal Auditors Research Foundation Leveraging IT Controls To Improve IT Operating Performance 1 EXECUTIVE SUMMARY The Institute of Internal Auditors Research Foundation (IIARF) and the Institute of Internal Auditors (IIA) Advanced Technology Committee invited the IT Process Institute (ITPI) to participate in the IT Audit Research Symposium held June 18, 2006, in conjunction with The IIA’ International Conference in Houston, Texas. Subsequently, The IIARF commissioned ITPI to conduct a study of how information technology (IT) controls impact operational performance. The study was designed to give IT audit and operations professionals empirical data about which IT controls have the biggest impact on operational performance, and about the effect of higher levels of IT control process maturity. The study did not look at how IT controls reduce risk, but instead focused on how IT controls that are often mandated by regulatory requirements also improve performance if implemented at sufficient levels of process maturity. A Web-based survey was completed
Load more

Recommended publications
  • Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
    1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction .............................................................................................................................. 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley .... 2 1. Is there an overall approach to IT risk and control consideration that should be followed? .......................... 2 2. Why is it so important to consider IT when evaluating internal control over financial reporting? ............... 4 3. How should Section 404 compliance teams define “IT risks and controls”? .................................................. 5 4. How does management identify and prioritize IT risks? ................................................................................. 5 5. What guidance does COSO provide with respect to IT controls? .................................................................. 6 6. What guidance is provided by the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework with respect to IT controls? ........................................................................................................... 6 7. How do COSO and COBIT facilitate a Section 404 compliance effort? ........................................................ 6 8. If a Section 404 project strictly and only follows COBIT, will the project be compliant with the Section 404 compliance efforts? .......................................................................................................................
    [Show full text]
  • GTAG 1: Information Technology Controls
    Information Technology ControlsA uditing Application Controls Authors David A. Richards, CIA, President, The IIA Alan S. Oliphant, MIIA, QiCA, MAIR InternationalChristine Bellino, Jefferson Wells Charles H. Le Grand, CIA, CHL GlobalSteve Hunt, Enterprise Controls Consulting LP July 200March 20057 Copyright © 20057 by The Institute of Internal Auditors (IIA), 247 Maitland Ave., Altamonte Springs, FL 32701-4201 USA. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without prior written permission from the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. GTAG — Table of Contents: Section 1 Section 19 Letter from the President..........................................ii Appendix H – CAE Checklist ................................423 Section 2 Section 20 IT Controls – Executive Summary ............................iii Appendix I – References ........................................445 Section 3 Section 21 Introduction ..........................................................1 Appendix
    [Show full text]
  • The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework
    100635 Journal vol 1 2019_Layout 1 12/12/18 12:52 PM Page 40 FEATURE The Optimal Risk Management Framework Identifying the Requirements and Selecting the Framework The tremendous rise of cybersecurity attacks, have their own proprietary frameworks or use a coupled with organizations’ exploration of new hybrid of frameworks. Do you have something technologies such as artificial intelligence (AI) and to say about this blockchain to expand their business or better Selecting a Risk Management Method or article? secure their controls, gives cause to review the Framework foundational framework that is being used to Visit the Journal pages identify, assess and action IT risk impacting What criteria are firms using to select the frameworks of the ISACA® website business objectives. This is a perpetual struggle: they use? How often are these frameworks and their (www.isaca.org/journal), reviewing the use of new technologies and their basic tenets reviewed? Is the selected framework find the article and click communicated to the employees of the firm? Is the on the Comments link to impact to the organization’s objectives, profit framework or methodology selected by the firm share your thoughts. mentality and revenue streams. With Apple and Goldman reviewing the feasibility of issuing a new understood by all? Do these frameworks use https://bit.ly/2RCieXY credit card or the old news of Internet of Things quantitative factors or qualitative factors to evaluate (IoT) or driverless cars, enterprise risk and cyberrisk risk? Short of performing a scientific survey of departments or groups must be working overtime organizations to inventory and evaluate the to evaluate and drive the analysis of risk.
    [Show full text]
  • A Risk Management Framework for IT Systems Which Adopt Cloud Computing
    future internet Article ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,* 1 ING Bank, B-1040 Brussels, Belgium; [email protected] 2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea; [email protected] 3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea * Correspondence: [email protected]; Tel.: +82-54-478-7526 Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019 Abstract: Many companies are adapting cloud computing technology because moving to the cloud has an array of benefits. During decision-making, having processed for adopting cloud computing, the importance of risk management is progressively recognized. However, traditional risk management methods cannot be applied directly to cloud computing when data are transmitted and processed by external providers. When they are directly applied, risk management processes can fail by ignoring the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix this backdrop, this paper introduces a new risk management method, Enterprise Risk Management for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management methods by combining each component with another processes for comprehensive perception of risks. In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller migrates some modules to Microsoft Azure cloud.
    [Show full text]
  • ISACA's Risk IT in a Cloud-Based Environment
    ISACA’s Risk IT in a Cloud-based environment Kamal Khan, CISA, CISSP, MBCS, CITP Director, ISACA London Chapter March 2020 Confidential. For internal use only. Agenda • Introduction • Risk IT • Using Risk IT in a Cloud Environment • Conclusion Introduction • Kamal Khan, Director of ISACA London Chapter • Over 30 years experience in Information Systems Audit and Control • Worked in Banking, Utilities, Oil and Gas industries • Worked on initial version of Risk IT and current one which is being revised as Subject Matter Expert • ISACA London Chapter: • ISACA® is the voice of the information systems audit, IT governance, risk management and cybersecurity professions. • The ISACA London Chapter • First in the UK • Established in 1981 • Over 4,200 members, largest in the world Risk IT Confidential. For internal use only. Who uses a formal risk management process for their Cloud environment? Who has heard of ISACA Risk IT? What is Risk IT • An ISACA publication. • An end-to-end, comprehensive view of all risks related to the use of IT • Consists of two documents • The Risk IT Framework • The Risk IT Practiotoner Guide Risk IT Principles Confidential. For internal use only. Can we treat Risks in IT separately Enterprise Risk? Risk Universe • IT Risk is a component of the overall risk universe • Also a component of Strategic Risk, Environmental risk etc Enterprise Risk Strategic Environmental Market Operational Credit Compliance Risk Risk Risk Risk Risk Risk IT-related Risk IT Programme and Project IT Operations and IT Benefit / Value Risk Delivery
    [Show full text]
  • Auditing IS/IT Risk Management, Part 1
    Ed Gelbstein, Ph.D., 1940-2015, worked in Auditing IS/IT Risk Management, Part 1 IS/IT in the private and public sectors in various countries There are significant differences between THE PRACTICE for more than 50 years. conducting an IS/IT audit and conducting an IS/ Unfortunately, this is not always the case. This Gelbstein did analog and IT risk management audit. author audited several well-known organizations digital development in the that merely played lip service to risk management 1960s, incorporated digital THE THEORY at all levels. They went through the motions of computers in the control IS/IT auditors ought to be knowledgeable about engaging consultants to run a brief workshop systems for continuous the risk owned by the chief information officer on risk maps (heat maps), asked their staff to process in the late ‘60s and (CIO) and her/his team and those that have been develop them quickly, put them all in a big file early ‘70s, and managed externalized (outsourcing, cloud services, other and claimed they had done risk management. projects of increasing providers, vendors, etc.). In an ideal situation, at Given that internal audit and ERM both exist size and complexity until the least some of the IS/IT audit team should have to provide independent and robust advice to early 1990s. In the ‘90s, he a certification such as ISACA’s Certified in Risk senior management, friction between them—let became an executive at the and Information Systems Control™ (CRISC™). alone a turf war—would be bad for business. preprivatized British Railways Those involved in the enterprise risk This article provides a map of the IS/IT management (ERM) function should be able risk management activities that are auditable and then the United Nations to determine the business impact of the risk and shows how to maintain a collaborative global computing and data associated with IS/IT.
    [Show full text]
  • Risk Management & Governance
    RISK MANAGEMENT & GOVERNANCE KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Pete Burnap – Cardiff University EDITOR: Awais Rashid – University of Bristol REVIEWERS: Chris Johnson – University of Glasgow Ragnor Lofstedt – Kings College, London Jason Nurse – University of Kent Adam Shostack – Shostack & Associates © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Risk Management and Governance Pete Burnap July 2019 INTRODUCTION This Knowledge Area will explain the fundamental principles of cyber risk assessment and manage- ment and their role in risk governance, expanding on these to cover the knowledge required to gain a working understanding of the topic and its sub-areas. We begin by discussing the relationship be- tween everyday risk and why this is important in today’s interconnected digital world. We explain why, as humans, we need effective risk assessment and management principles to support the capture and communication of factors that may impact our values.
    [Show full text]
  • Risk It Practitioner Guide
    TTHEHE RRISKISK ITIT PPRACTITIONERRACTITIONER GGUIDEUIDE Risk Universe, Appetite and Tolerance Risk Awareness, Communication and Reporting Expressing and Describing Risk, Risk Scenarios Risk Responses and Prioritisation Using COBIT® and Val ITTM THE RISK IT PRACTITIONER GUIDE ISACA® With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), and Certified in the Governance of Enterprise IT® (CGEIT®) designations. ISACA developed and continually updates the COBIT, ® Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfil their IT governance responsibilities and deliver value to the business. Disclaimer ISACA has designed and created The Risk IT Practitioner Guide (the ‘Work’) primarily as an educational resource for chief information officers (CIOs), senior management and IT management. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, officers and managers should apply their own professional judgement to the specific control circumstances presented by the particular systems or information technology environment.
    [Show full text]
  • Risk IT a Set of Guiding Principles and the First Framework to Help
    What is Risk IT? www.isaca.org/riskit Risk IT is: • A framework to help establish effective governance and management of IT risk • Part of ISACA’s product portfolio on IT governance • A framework based on a set of guiding principles for effective management of IT risk Risk IT A set of guiding principles and the first framework to help enterprises identify, What does Risk IT do? 3701 Algonquin Road, Suite 1010 govern and effectively manage IT risk. Risk IT: Rolling Meadows, IL 60008 USA • Allows enterprises to customize the components provided in the framework Web site: www.isaca.org to suit their particular needs • Provides an end-to-end, comprehensive view of all risks related to the use of Phone: +1.847.660.5700 IT and a similarly thorough treatment of risk management, from the tone and Fax: +1.847.253.1443 culture at the top, to operational issues E-mail: [email protected] • Enables enterprises to understand and manage all significant IT risk types • Provides tangible business benefits • Allows the enterprise to make appropriate risk-aware decisions • Explains how to capitalize on an investment made in an IT internal control system already in place to manage IT-related risk • Enables integration with overall risk and compliance structures within the enterprise when assessing and managing IT risk What are the benefits of using Risk IT? The benefits of using Risk IT include: • A common language to help communication amongst business, IT, risk and audit management • End-to-end guidance on how to manage IT-related risks • A complete risk profile to better understand risk, so as to better utilize enterprise resources • A better understanding of the roles and responsibilities with regard to IT risk management • Alignment with ERM • A better view of IT-related risk and its financial implications • Fewer operational surprises and failures • Increased information quality • Greater stakeholder confidence and reduced regulatory concerns • Innovative applications supporting new business initiatives In business today, risk plays a critical role.
    [Show full text]
  • CENTER for INFORMATION SYSTEMS RESEARCH IT Risk
    CENTER FOR Massachusetts INFORMATION Institute of SYSTEMS Technology RESEARCH Sloan School Cambridge of Management Massachusetts IT Risk Management: From IT Necessity to Strategic Business Value George Westerman December 2006 CISR WP No. 366 and MIT Sloan WP No. 4658-07 © 2006 Massachusetts Institute of Technology. All rights reserved. Research Article: a completed research article drawing on one or more CISR research projects that presents management frameworks, findings and recommendations. Research Summary: a summary of a research project with preliminary findings. Research Briefings: a collection of short executive summaries of key findings from research projects. Case Study: an in-depth description of a firm’s approach to an IT management issue (intended for MBA and executive education). Technical Research Report: a traditional academically rigorous research paper with detailed methodology, analysis, findings and references. CISR Working Paper No. 366 Title: IT Risk Management: From IT Necessity to Strategic Business Value Author: George Westerman Date: December 2006 Abstract: With information technology becoming an increasingly important part of every enterprise, managing IT risk has become critically important for CIOs and their business counterparts. However, the complexity of IT makes it very difficult to understand and make good decisions about IT risks. CISR research has identified four business risks ⎯ Availability, Access, Accuracy, and Agility ⎯ that are most affected by IT. Since nearly every major IT decision involves conscious or unconscious tradeoffs among the four IT risks, IT and business executives must understand and prioritize their enterprise’s position on each. Three core disciplines ⎯ IT foundation, risk governance process, and risk aware culture ⎯ constitute an effective risk management capability.
    [Show full text]
  • IT Risk Assessment
    IT Risk Assessment Happiest People . Happiest Customers Contents Contents…………………………………………………………………………………………………………2 Introduction………………………………………………………………………………………………..........3 What benefits accrue from an IT risk assessment?………………………………………………………...3 Conducting an IT Risk Assessment………………………………………………….............………………4 Common Pitfalls to Avoid…………………………………………...................………………….……….....5 Our solution for conducting an efficacious IT Risk Assessment.................………………….………......5 Conclusion……………………………………………………………………………………………………….5 About the Author……………………………………………………………………………………………......6 2 © Happiest Minds Technologies. All Rights Reserved Introduction A 2014 study by the Ponemon Institute and HP showed that the average annual cost of cyber crime incurred by U.S. organiza- tions has risen by 96% between 2010 and 2014, to a staggering $12.7 million. All organizations are aware of the danger posed by hackers out to steal data and money, and yet, many fail to keep their security policies and systems updated. Outdated software with vulnerabilities and practices that leave the organization open to threat are still common. In order to protect your organization, you must methodically evaluate the risks, threats, and vulnerabilities surrounding your IT infrastructure. In short, you need an IT Risk Assessment. An IT Risk Assessment is a comprehensive review of the IT organization, with the objective of identifying existing flaws that could be exploited to threaten the security of the network and data. It serves as the basis for deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. What benefits accrue from an IT risk assessment? An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy.
    [Show full text]
  • Questioning the Need for Separate IT Risk Management Frameworks
    Questioning the need for separate IT risk management frameworks Nicolas Racz1, Edgar Weippl1,Andreas Seufert2 1Institut fürSoftwaretechnik undInteraktive Systeme TU Wien Favoritenstr. 9-11/188 1040 Wien,Austria 2Institut fürBusiness Intelligence, Steinbeis Hochschule Berlin {racz, eweippl}@ifs.tuwien.ac.at; [email protected] Abstract: Thegrowing importance of enterprise risk management andthe resultingintegration efforts put theneed for separate IT risk management frameworks in question. In this research we analysecommonand distinct elements of theCOSO enterprise risk management andISACA RiskITframeworks. The analysis affirmsthe hypothesis that separate IT risk managementframeworks are redundant. 1 Motivation The alignment of IT with business objectives is an important part of contemporaryIT management. Ever sincethe creationofthe terms “enterprise risk management” (ERM) and “governance,risk, andcompliance” (GRC) the searchfor integration possibilities within these disciplines has been ongoing. Howeveras of todaydifferent frameworks are used forthe management of business risksand IT risks. The emergenceofhorizontal integration(across disciplines andacross departments) andvertical integration(across the organisationalhierarchyand across processlevels) has helped to realise that formerly separate approaches areoften redundant[Mi07],which provokes the authorstoestablish the hypothesis that a separate management of IT risksmight not be justified. 2 Status quo in research andpractice A quick scan of the ACM, SpringerLinkand EmeraldInsight
    [Show full text]