ch 03 - Chapter Three IT Risks and Controls Risks are the...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Chapter Three – IT Risks and Controls Risks are the chances of negative outcomes Managers and auditors strive to balance risk (to balance risk, we must assess it first) , rather than eliminate it – as no risk means no rewards Risk is measured based on probability and financial dimension, e.g., total dollar value of transactions processed. Depends on industry and nature of organization. Management should: ± assess and measure, and periodically (at least annually assess collectively) ± be willing to spend an amt equal to the expected value of the risk in order to control it (e.g. insurance) THE RISK MANAGEMENT PROCESS 1. Identify IT risks 2. Assess IT risks 3. Identify IT Controls 4. Document IT Controls Types of IT Risks (risk faced by a business enterprise) Business risk it is the likelihood that an organization will not achieve its business goals and objectives ± inherent risk, control risk, and residual risk ± Both external (e.g., Entrance of new competitor, poor economy) and internal (e.g., fraud, labor disputes) factors can contribute to it ± Need to be familiar with company’s strategic plan to assess this risk Audit risk it is the likelihood that an organization’s external auditor makes a mistake when issuing an opinion attesting to the fairness of its financial statements or that an IT auditor fails to uncover a material error or fraud ± = inherent risk × control risk × detection risk ± Inherent risk is the likelihood of material errors or fraud inherent in the business environment ( Risk of errors or undesirable financial events occurring, including security risk, human risk, etc – sometimes called business risk) ± Control risk is the likelihood that the internal control system will not prevent or detect material errors or fraud on a timely basis ± Detection risk is the likelihood that audit procedures will not detect material errors or fraud on a timely basis Security risk (part of inherent risk) ± Risk associated with data access and integrity ± Data access – physical and logical unauthorized access to data ± Integrity – Ensure that IT produces accurate, complete, timely, and reliable data. To do this, we most control for risks associated with collecting and processing the data ± Negative outcomes associated with low data integrity – poor decision making to increased business risk Continuity risk (part of inherent risk) – risks associated with an information system’s availability, backup and recovery
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
± Availability – security that ensures that an information is always accessible to users ± Backup and recovery procedures – ensure that procedures are available to restore data and operations Assessing IT Risk 1. Identify threats/exposures ± Ex: data confidentiality/availability/integrity/accuracy, IT infrastructure 2. Identify vulnerabilities to threats/exposures ± Ex: data confidentiality – remote/on-site access by unauthorized users 3. Determine acceptable risk levels (e.g., expected value of risk)
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 10

ch 03 - Chapter Three IT Risks and Controls Risks are the...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online