DOCSLIB.ORG

Information Technology Risk and Controls 2Nd Edition

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Information Technology Risk and Controls 2Nd Edition IPPF – Practice Guide Information Technology Risk and Controls 2nd Edition 120366 PRO-GTAG_1_COVER.indd 1 3/28/12 2:18 PM Building on Experience, Shaping the Future of Audit Technology As the world’s leading audit management software, TeamMate has revolutionized the audit industry, empowering audit departments of all sizes to do more with less. Introduced in 1994, TeamMate has a long standing commitment to advancing the audit profession. From consistently innovative product updates, to hosted solutions, and now mobile apps, we are dedicated to leveraging the latest technology for our clients. Don’t take our word for it... TeamMate’s outreach extends beyond our customers to support Check out what our and enrich the professional community through research projects, educational programs and initiatives such as our Open customers are saying at Audit Innovation Contest. TeamMateSuccess.com To learn about TeamMate, visit us on the web at CCHTeamMate.com or call 1.888.830.5559. Copyright © 2012 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 2119-ARC-TM-GTAG-AD 12/15/11 120366 PRO-GTAG_1_COVER.indd 2 3/28/12 2:18 PM Global Technology Audit Guide (GTAG®) 1 Information Technology Risk and Controls 2nd Edition March 2012 120366 PRO-GTAG_1_TEXT.indd 1 3/28/12 2:17 PM 120366 PRO-GTAG_1_TEXT.indd 2 3/28/12 2:17 PM GTAG — Table of Contents EXECUTIVE SUMMARY .........................................................................................................................................2 1. INTRODUCTION ................................................................................................................................................3 2. INTRODUCTION TO THE BASIS OF IT-RELATED BUSINESS RISKS AND CONTROLS ...........................5 3. INTERNAL STAKEHOLDERS AND IT RESPONSIBILITIES ...........................................................................8 4. ANALYZING RISKS ...........................................................................................................................................10 5. ASSESSING IT — AN OVERVIEW ...................................................................................................................13 6. UNDERSTANDING THE IMPORTANCE OF IT CONTROLS ........................................................................16 7. IT AUDIT COMPETENCIES AND SKILLS ......................................................................................................22 8. USE OF CONTROL FRAMEWORK ...................................................................................................................23 9. CONCLUSION ...................................................................................................................................................25 10. AUTHORS & REVIEWERS .............................................................................................................................26 11. APPENDIX: IT CONTROL FRAMEWORK CHECKLIST ..............................................................................27 1 120366 PRO-GTAG_1_TEXT.indd 1 3/28/12 2:17 PM GTAG — Executive Summary Executive Summary This GTAG helps chief auditing executives (CAEs) and internal auditors keep pace with the ever-changing and sometimes complex world of IT by providing resources written for business executives — not IT executives. Both management and the Board have an expectation that the internal audit activity provides assurance around all-impor- tant risks, including those introduced or enabled by the implementation of IT. The GTAG series helps the CAE and internal auditors become more knowledgeable of the risk, control, and governance issues surrounding technology. The goal of this GTAG is to help internal auditors become more comfortable with general IT controls so they can talk with their Board and exchange risk and control ideas with the chief information officer (CIO) and IT management. This GTAG describes how members of governing bodies, executives, IT professionals, and internal auditors address significant IT-related risk and control issues as well as pres- ents relevant frameworks for assessing IT risk and controls. Moreover, it sets the stage for other GTAGs that cover in greater detail specific IT topics and associated business roles and responsibilities. This guide is the second edition of the first installment in the GTAG series — GTAG 1: Information Technology Controls — which was published in March 2005. Its goal was, and is, to provide an overview of the topic of IT-related risks and controls. 2 120366 PRO-GTAG_1_TEXT.indd 2 3/28/12 2:17 PM GTAG — Introduction • Who is responsible? Everyone. However, control 1. Introduction ownership and responsibilities must be defined and disseminated by management. Otherwise, no one is The purpose of this GTAG is to explain IT risks and controls responsible, and results could be quite severe. in a format that allows CAEs and internal auditors to under- stand and communicate the need for strong IT controls. It is • When should IT risks and controls be assessed? organized to enable the reader to move through the frame- Always. IT is a rapidly changing environment that work for assessing IT controls and to address specific topics promotes process and organizational change. New based on need. This GTAG provides an overview of the risks emerge at a rapid pace. Controls must present key components of IT control assessment with an emphasis continuous evidence of their effectiveness, and that on the roles and responsibilities of key constituents within evidence must be assessed and evaluated constantly. the organization who can drive governance of IT resources. • How much control is enough? Management must Some readers already may be familiar with some aspects of decide based on risk appetite, tolerance and manda- this GTAG, but some segments will provide new perspectives tory regulations. Controls are not the objective; on how to approach IT risks and controls. One goal of this controls exist to help meet business objectives. GTAG, and others in the series, is that IT control assess- Controls are a cost of doing business and can ment components can be used to educate others about what be expensive, but not nearly as expensive as the IT risk and controls are and why management and internal possible consequences of inadequate controls. audit should ensure proper attention is paid to fundamental IT risks and controls to enable and sustain an effective IT control environment. IT controls are essential to protect assets, customers, part- ners, and sensitive information; demonstrate safe, efficient, Although technology provides opportunities for growth and and ethical behavior; and preserve brand, reputation, and development, it also represents threats, such as disruption, trust. In today’s global market and regulatory environment, deception, theft, and fraud. Research shows that outside these things are too easy to lose. A CAE can use this guide attackers threaten organizations, yet trusted insiders are a as a foundation to assess an organization’s framework and far greater threat. Fortunately, technology also can provide internal audit practices for IT risk and control, compliance, protection from threats, as this guide will demonstrate. and assurance. It also can be used to meet the challenges Executives should know the right questions to ask and what of constant change, increasing complexity, rapidly evolving the answers mean. For example: threats, and the need to improve efficiency. • Why should I understand IT risks and controls? Two words: assurance and reliability. Executives IT controls do not exist in isolation. They form an inter- play a key role in assuring information reliability. dependent continuum of protection, but they also may be Assurance comes primarily from an interdependent subject to compromise due to weak links. IT controls are set of business controls as well as from evidence that subject to error and management override, range from controls are continuous and sufficient. Management simple to highly technical, and exist in a dynamic envi- must weigh the evidence provided by controls and ronment. IT controls have two significant elements: the audits and conclude that it provides reasonable automation of business controls (which support business assurance. management and governance) and control of the IT envi- ronment and operations (which support the IT applications • What is to be protected? Trust should be protected and infrastructures). The CAE needs to consider and assess because it ensures business and efficiency. Controls both elements. The CAE may view the automated busi- provide the basis for trust, although they often ness controls as those controls where both business and IT are unseen. Technology provides the foundation audit skills work together in an integrated audit capacity. for many — perhaps most — business controls. The CAE may want to separate the general IT controls or Reliability of financial information and processes — general computer controls (GCCs) based on the technical now mandated for many organizations— is all about skills and competencies necessary to assess more technical trust. applications, infrastructure, and operations. For example, • Where are IT controls applied? Everywhere. IT an enterprise resource planning (ERP) application requires includes technology components, processes, people, more technical knowledge to understand and assess controls organization, and architecture, as well as the infor- over the ERP database structures, user
Load more

Recommended publications
  • Metropolitan Council Internal Audit Charter A
    METROPOLITAN COUNCIL INTERNAL AUDIT CHARTER A. AUDIT COMMITTEE PURPOSE: The Metropolitan Council has established a special committee of the Council to be called the Metropolitan Council Audit Committee. The purpose of the Committee is to assist the Metropolitan Council in fulfilling its oversight responsibility for the integrity of the Council’s financial and operational results, compliance with legal and regulatory requirements, and the performance of internal audit and external auditors. AUTHORITY: The Audit Committee has authority to conduct or authorize special audits and investigations into any matters within its scope of responsibility. It is empowered to: Approve the Chief Audit Executive’s Audit Plan. Resolve any disagreements between management and the internal/external auditors regarding financial or operational control and reporting. Review and accept external auditors’ reports along with management’s written responses when appropriate. Obtain information from employees or external parties as part of its review. Council employees are directed to cooperate with Audit Committee requests. Meet with Council employees, external auditors, legal counsel, or others as necessary. Be consulted regarding changes in the Chief Audit Executive’s duties. Be informed of all matters that impair the conduct of an audit or review. However, where feasible such matters shall be first brought to the attention of the Regional Administrator for resolution before communicating them to the Audit Committee. Make periodic reports to the Council or appropriate standing committee established by the Council. RESPONSIBILITIES: Financial and Operational Review Oversight Review significant accounting, operational and reporting issues and understand their impact on the financial and operating results on the Metropolitan Council’s system of internal control.
    [Show full text]
  • Internal Control and the Board: What Is All the Fuss About?
    The Deloitte Academy June 2021 Stakeholders Societal licence Shareholders Responsible business Transparency Corporate governance Viability Company purposeAudit committee Culture Strategy Viability Internal control KPIs Audit quality Remuneration Sustainability Trust Shareholders Strategy Assurance KPIs Reputation Capability Stakeholders Company purpose Viability Internal control and the board: What is all the fuss about? Headlines • The UK Corporate Governance Code already establishes a clear responsibility on the whole board to establish a framework of prudent and effective controls – however, behind the UK proposals for a US style internal control attestation are very real questions as to whether responsibilities go far enough and whether there is sufficient guidance for boards, together with sufficiently detailed information from management, to meet these responsibilities effectively. • In particular the guidance does not address the pervasiveness of technology in detail, and boards may not be obtaining sufficient assurance over the effectiveness of IT controls given the complexity and interdependency of the IT infrastructure which exists in many companies today. • The extent of work performed by external auditors is also not well understood - careful questioning of auditors in relation to their audit scope and approach could reveal much about the control environment. • In summary, boards should not wait for further announcements from the Government or FRC/ARGA before taking action in this area, particularly if they are not able to answer the questions which we raise throughout this publication. Internal control and the board: What is all the fuss about? A reminder of the current UK Corporate Governance Code requirements • Overarching board responsibility from Code Principle C: The board should establish a framework of prudent and effective controls, which enable risk to be assessed and managed.
    [Show full text]
  • Risk Management and Internal Controls
    Risk Management and Internal Controls Accounting & Audit Update April 26, 2018 Learning Objectives . Develop an understanding of risks your organization may be facing . Understand the value of enterprise risk management . Know how internal controls can help in addressing risks . Recognize your role in risk management 2 1 Agenda . Overview of Risk Management . The State of Risk Oversight – AICPA & North Carolina Poole College of Management ERM Initiative Study 2017 . COSO ERM Framework . What can I do? 3 Risk Management and IC OVERVIEW 4 2 Introduction . Every choice we make in the pursuit of objectives has its risks. From day- to-day operational decisions to the fundamental trade-offs in the boardroom, dealing with uncertainty in these choices is a part of our operational lives. 5 Risk vs. Uncertainty . Risk – the possibility that event(s) will occur and affect the achievement of strategy and business objectives . Uncertainty – the state of not knowing how or if potential events may manifest 6 3 Variety of Risks & Assessments . Governance . Compliance . Financial . Environmental risk . Operational . Fraud risk . Technology . IT/information . Legal security risk . Reputation . Insurance . Strategic . Investments . HR 7 Governance Risk . Lack of succession planning . Board make-up and structure . Poor advisors . Dysfunctional working relationships between executives and board . Ethical issues . Non-prudent behavior . Changing values 8 4 Financial Risks . Access to/availability of capital . Investment risks . Errors or fraud and financial reporting . Lack of oversight or approvals . Misappropriation of assets . Loss of revenue sources . Loss of key suppliers 9 Operational Risks . Decrease in service quality . Safety . Inadequate internal controls . Lack of accountability by business partners .
    [Show full text]
  • An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements
    An Audit of Internal Control Over Financial Reporting 1425 AU-C Section 940 An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements Source: SAS No. 130; SAS No. 135; SAS No. 140. Effective for integrated audits for periods ending on or after Decem- ber 15, 2016, unless otherwise indicated. Introduction Scope of This Section .01 This section establishes requirements and provides guidance that ap- plies only when an auditor is engaged to perform an audit of internal control over financial reporting (ICFR) that is integrated with an audit of financial statements (integrated audit). (Ref: par. .A1) .02 Generally accepted auditing standards (GAAS) are written in the con- text of an audit of financial statements but are to be adapted as necessary in the circumstances when applied to an audit of ICFR that is integrated with an audit of financial statements.1 This section includes special considerations related to performing an integrated audit. Effective Date .03 This section is effective for integrated audits for periods ending on or after December 15, 2016. Objectives .04 The objectives of the auditor in an audit of ICFR are to a. obtain reasonable assurance about whether material weaknesses exist as of the date specified in management's assessment about the effectiveness of ICFR (as of date)and b. express an opinion on the effectiveness of ICFR in a written re- port, and communicate with management and those charged with governance as required by this section, based on the auditor's find- ings. (Ref: par. .A2–.A4) Definitions .05 For purposes of GAAS, the following terms have the meanings at- tributed as follows: 1 Paragraph .02 of section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards.
    [Show full text]
  • Internal Control and Compliance Manual for Tennessee Municipalities Table of Contents
    INTERNAL CONTROL AND COMPLIANCE MANUAL FOR TENNESSEE MUNICIPALITIES TABLE OF CONTENTS TABLE OF CONTENTS Preface i Introduction Overview of Internal Control 1 Component 1 Control Environment GAO Green Book - Principles 1 through 5 3 Component 2 Risk Assessment GAO Green Book - Principles 6 through 9 8 Component 3 Control Activities GAO Green Book - Principles 10 through 12 12 Component 4 Information and Communication GAO Green Book - Principles 13 through 15 20 Component 5 Monitoring GAO Green Book - Principles 16 through 17 25 INTERNAL CONTROL MANUAL FOR LOCAL GOVERNMENTAL ENTITIES AND OTHER AUDITED ENTITIES IN TENNESSEE PREFACE PREFACE Local governments and other entities detailed below must establish and maintain an adequate internal control system for purposes of financial reporting, managing operations, and legal compliance. Various state statutes require the Department of Audit, Comptroller of the Treasury, to prescribe a uniform accounting system for entities that handle public funds. Those statutes require officials to adopt and use the system and the character of books, reports, and records designated by the Comptroller of the Treasury. An accounting system is defined as the methods and records established to identify, assemble, analyze, classify, record and report a government’s transactions and to maintain accountability for the related assets and liabilities. Those methods would necessarily include establishing, documenting, and implementing adequate internal controls. Some of those requirements are listed below: State, county, municipal, and utility district offices – Section 9-2-102, Tennessee Code Annotated (TCA) Emergency communication districts – Section 7-86-304, TCA Development district offices – Section 13-14-108, TCA Human resource agencies – Section 13-26-109, TCA Public charter schools – Section 49-13-111(m), TCA Regional development authorities – Section 64-7-105, TCA In addition, Section 9-18-102(a), TCA, was amended to expressly require each county, municipal, and metropolitan government to establish and maintain internal controls.
    [Show full text]
  • COSO) Oversight Representative COSO Chair John J
    Enterprise Risk Management — Integrated Framework Executive Summary September 2004 Copyright © 2004 by the Committee of Sponsoring Organizations of the Treadway Commission. All rights reserved. You are hereby authorized to download and distribute unlimited copies of this Executive Summary PDF document, for internal use by you and your firm. You may not remove any copyright or trademark notices, such as the ©, TM, or ® symbols, from the downloaded copy. For any form of commercial exploitation distribution, you must request copyright permission as follows: The current procedure for requesting AICPA permission is to first display our Website homepage on the Internet at www.aicpa.org, then click on the "privacy policies and copyright information" hyperlink at the bottom of the page. Next, click on the resulting copyright menu link to COPYRIGHT PERMISSION REQUEST FORM, fill in all relevant sections of the form online, and click on the SUBMIT button at the bottom of the page. A permission fee will be charged for th e requested reproduction privileges. Committee of Sponsoring Organizations of the Treadway Commission (COSO) Oversight Representative COSO Chair John J. Flaherty American Accounting Association Larry E. Rittenberg American Institute of Certified Public Accountants Alan W. Anderson Financial Executives International John P. Jessup Nicholas S. Cyprus Institute of Management Accountants Frank C. Minter Dennis L. Neider The Institute of Internal Auditors William G. Bishop, III David A. Richards Project Advisory Council to COSO Guidance Tony Maki, Chair James W. DeLoach John P. Jessup Partner Managing Director Vice President and Treasurer Moss Adams LLP Protiviti Inc. E. I. duPont de Nemours and Company Mark S.
    [Show full text]
  • Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
    1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction .............................................................................................................................. 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley .... 2 1. Is there an overall approach to IT risk and control consideration that should be followed? .......................... 2 2. Why is it so important to consider IT when evaluating internal control over financial reporting? ............... 4 3. How should Section 404 compliance teams define “IT risks and controls”? .................................................. 5 4. How does management identify and prioritize IT risks? ................................................................................. 5 5. What guidance does COSO provide with respect to IT controls? .................................................................. 6 6. What guidance is provided by the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework with respect to IT controls? ........................................................................................................... 6 7. How do COSO and COBIT facilitate a Section 404 compliance effort? ........................................................ 6 8. If a Section 404 project strictly and only follows COBIT, will the project be compliant with the Section 404 compliance efforts? .......................................................................................................................
    [Show full text]
  • Internal Control Questionnaires and Verification Procedures
    ICQs and Verification Procedures Comptroller’s Handbook December 2007 Internal Control Questionnaires and Verification Procedures Table of Contents Introduction............................................................................................................ 1 Pre-Examination Planning..............................................................................................1 During the Examination.................................................................................................2 Accounts Receivable and Inventory Financing........................................................6 Internal Control Questionnaire .....................................................................................6 Verification Procedures.................................................................................................8 Agricultural Lending .............................................................................................11 Verification Procedures...............................................................................................11 Allowance for Loan and Lease Losses ...................................................................14 Internal Control Questionnaire ...................................................................................14 Verification Procedures...............................................................................................15 Asset and Liability Management ...........................................................................17 Internal Control
    [Show full text]
  • Guide to Internal Control Over Financial Reporting
    GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING ABOUT THE CENTER FOR AUDIT QUALITY Please note that this publication is intended as general information and should not be relied upon as being The Center for Audit Quality (CAQ) is an autonomous definitive or all-inclusive. As with all other CAQ resources, public policy organization dedicated to enhancing this is not authoritative, and readers are urged to refer investor confidence and public trust in the global capital to relevant rules and standards. If legal advice or other markets. The CAQ fosters high-quality performance by expert assistance is required, the services of a competent public company auditors; convenes and collaborates professional should be sought. The CAQ makes no with other stakeholders to advance the discussion of representations, warranties, or guarantees about, and critical issues that require action and intervention; assumes no responsibility for, the content or application and advocates policies and standards that promote of the material contained herein. The CAQ expressly public company auditors’ objectivity, effectiveness, and disclaims all liability for any damages arising out of the responsiveness to dynamic market conditions. Based in use of, reference to, or reliance on this material. This Washington, DC, the CAQ is affiliated with the American publication does not represent an official position of the Institute of CPAs. CAQ, its board, or its members. GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING GUIDE TO INTERNAL CONTROL OVER FINANCIAL REPORTING
    [Show full text]
  • G:\Comp\Sec\Sarbanes-Oxley Act of 2002.Xml
    G:\COMP\SEC\SARBANES-OXLEY ACT OF 2002.XML SARBANES-OXLEY ACT OF 2002 [Public Law 107–204, Approved July 30, 2002, 116 Stat. 745] [As Amended Through P.L. 116–222, Enacted December 18, 2020] øCurrency: This publication is a compilation of the text of Public Law 107–204. It was last amended by the public law listed in the As Amended Through note above and below at the bottom of each page of the pdf version and reflects current law through the date of the enactment of the public law listed at https:// www.govinfo.gov/app/collection/comps/¿ øNote: While this publication does not represent an official version of any Federal statute, substantial efforts have been made to ensure the accuracy of its contents. The official version of Federal law is found in the United States Statutes at Large and in the United States Code. The legal effect to be given to the Statutes at Large and the United States Code is established by statute (1 U.S.C. 112, 204).¿ AN ACT To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. ø15 U.S.C. 7201 note¿ SHORT TITLE; TABLE OF CONTENTS. 1 (a) SHORT TITLE.—This Act may be cited as the ‘‘Sarbanes- Oxley Act of 2002’’. (b) TABLE OF CONTENTS.—The table of contents for this Act is as follows: Sec.
    [Show full text]
  • An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements
    1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES JANUARY 23, 2009 This publication presents the views of the staff of the Public Company Accounting Oversight Board on how auditors can apply certain provisions of Auditing Standard No. 5 to audits of internal control over financial reporting of smaller, less complex public companies. The statements contained in this publication are not rules of the Board, nor have they been approved by the Board. Staff Views January 23, 2009 Page 2 of 62 TABLE OF CONTENTS Chapter Topic Page Introduction ...........................................................................................................3 1 Scaling the Audit for Smaller, Less Complex Companies ............................6 2 Evaluating Entity-Level Controls ..................................................................12 3 Assessing the Risk of Management Override and Evaluating Mitigating Actions ..........................................................................................18 4 Evaluating Segregation of Duties and Alternative Controls.......................24 5 Auditing Information Technology Controls in a Less Complex Information Technology Environment..........................................................27 6 Considering Financial Reporting Competencies and Their Effects on Internal
    [Show full text]
  • Sarbanes-Oxley Section 404
    SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners The Institute of Internal Auditors 2nd Edition, January 2008 Table of Contents About the Second Edition...........................................................................................................iii How to Use This Guide .............................................................................................................. iv Introduction.................................................................................................................................1 Summary for the CEO and CFO .................................................................................................3 A. Section 404: Rules or Principles ............................................................................................9 B. Revisiting the Principles of Internal Control ...................................................................... 11 The COSO Framework ....................................................................................................... 15 C. What Constitutes an Effective System of Internal Control as it Relates to the Requirements of Section 404? ............................................................................................. 18 D. Who Is Responsible for Internal Controls? ......................................................................... 19 E. What Is the Scope of Management’s Assessment of the System
    [Show full text]