67%(9)6 out of 9 people found this document helpful
This preview shows page 5 - 7 out of 8 pages.
B.1(source: DQ5 Chapter 3)IT risks are a subset of the overall universe of business risks. IT activities are designed to help an organization achieve its business objectives and, therefore, are subject to the same principles as described in Exhibit 3-4.Governance Umbrella— The board of directors has a responsibility to understand how IT (1) enables the achievement of business objectives and (2) poses a variety of inherent risks to an organization. The chief information officer (CIO) may not have a direct reporting relationship or direct access to the boardor its committees and, therefore, the board’s direction and authority may be delegated through another senior executive, such as the CFO. Good IT governance requires the CIO, or a similar officer, to understand the following:oBusiness objectives that depend on IT or IT-specific objectives that will help the CIO manage the overall IT operations.Page 5of 8
Acc653.F16.Midterm.Solutions SummaryoThe amount of risk the board and senior management can tolerate related to risk outcomes.oKey stakeholders and their expectations. While outside stakeholders may have some interest in how IT enables business objectives, the primary IT stakeholders may be internal customers, such as business and functional leaders.Risk Management— The tactics for managing IT risks may vary somewhat from other business risks, but the overall process is the same. It is important for IT management to identify all IT-related risks, understand the potential impact and likelihood of those risks, and determine the appropriate strategies for managing those risks within the tolerance levels established by the board and senior management. Additionally, IT management must implement timely and effective monitoring activities to ensure IT risks are in fact being managed to acceptable levels.Assurance — Internal audit functions typically devote a portion of their audit plan to address IT risks. Internal audit communications to senior management and the board will be similar to those described in the chapter. Assurances also may be obtained by other internal and external parties. For example, the CIO may hire specialist consultants to conduct penetration testing to help evaluate the security of the organization’s firewalls and security capabilities.B.2 There are three prerequisites to be metbefore the internal auditor can consider using computer-assisted audit techniques (CAATs):1. The information to be analyzed must be stored in computer records. CAATs can be used only where the record-keeping is computerized.2. Computer facilities must be available, and appropriate software to perform the CAATsmust either be available or can be developed cost-effectively.3. The auditor must have the technical competence to perform the audit procedures or can supervise the specialist who carries out the computer-assisted procedures.