Chapter 7 COSO ERM

(1) Internal Environment

The company culture (internal environment) influences how the organization

Sets strategies and objectives Structure business activities Identifies, assesses, and responds to risk

It is the foundation for the seven other ERM components

(2) Objective Setting

Management decides what the company hopes to achieve by defining a vision or mission Divided into more specific objectives as they are 4/19/12 cascaded down the corporate ladder into the

Chapter 7 COSO ERM

(3) Event Identification

An event is an incident or occurrence, either internal or external, that affects the implementation of strategy or achievement of objectives

(4,5) Risk Assessment and Response

Reduce Accept

Share

Avoid

Design effective controls and monitor the operation or application of those controls For Risk assessment and response: Estimate likelihood and Impact Identify controls Estimate cost and benefits

a)

b)

c)

4/19/12Determine cost/benefit effectiveness d)

Chapter 7 COSO ERM

(8) Monitoring ERM processes must be continually monitored

ERM evaluations Implement effective supervision Responsibility accounting systems (budgets, schedules etc) Monitor system activities Track purchased software and mobile devices periodic audits

Conduct 4/19/12

(6) Control Activities - Independent Checks on Performance

Top level reviews

actual to budget to forecast, prior period and competitor comparisons

Analytical reviews

Relationships between different sets of data (COGS to sales for example)

Reconciliations of independently maintained record

Subledger to general ledger, bank statement to general ledger

Actual quantities to recorded amounts

Physical inventory verification, fixed asset counts

Double entry accounting

4/19/12 debits compared to total credits Total

(6) Control activities - Segregation of Accounting Duties (Fig 7-3)

4/19/12

Chapter 8 Controls for System Reliability

Security is a Management Issue not an IT Issue

SOX requires the CEO and CFO to certify the financial statements fairly present the corporate results The accuracy of an organizations financial statements depends on the reliability of the information systems security is the foundation for

Information 4/19/12

Chapter 8 COBIT Framework

COBIT processes, to properly manage and control IT resources, are grouped into four basic management activities or domains

Plan and Organize (PO) properly designing and managing information systems Acquire and Implement (AI) obtaining and installing technology solutions Deliver and Support (DS) effectively and efficiently operating the systems and providing information management requires Monitor and Evaluate (ME) essential processes for assessing the operation of an IT system.

4/19/12

Chapter 8 COBIT Plan And Organize

PO1 define a strategic IT plan PO2 define the information architecture PO3 determine the technology direction PO4 define the IT processes, organization, and relationships PO5 manage the IT investment PO6 communicate management aims and direction PO7 manage IT human resources PO8 manage quality PO9 assess and manage IT risks PO10 manage projects

Plan & Organize

Tip: Know Three

Holcim Example

4/19/12

Chapter 8 COBIT Acquire and Implement (AI)

AI1 identify automated solutions AI2 acquire and maintain application software AI3 acquire and maintain technology infrastructure AI4 enable operations and use AI5 procure IT resources AI6 manage changes AI7 install and accredit solutions and changes

Acquire & Implem ent

Tip: Know Three

4/19/12

Chapter 8 COBIT Deliver and Support (DS)

DS1 define and manage service levels DS2 manage third party services DS3 manage performance and capacity DS4 ensure continuous service DS5 ensure systems security DS6 identify and allocate costs DS7 educate and train users DS8 manage service desk and incidents DS9 manage the configuration DS10 manage problems

Deliver & Support

Tip: Know Three

4/19/12

Chapter 8 COBIT Monitor and Evaluate (ME)

Monito r& Evalua te

Tip: Know Three

ME1 monitor and evaluate IT performance ME2 monitor and evaluate internal control ME3 ensure compliance with external requirements ME4 provide IT governance

4/19/12

Chapter 8 COBIT Framework

Information provided to management must satisfy seven key criteria:

Effectiveness information must be relevant and timely Efficiency information must be produced cost effectively Confidentiality sensitive information must be protected Integrity information must be accurate, complete, and valid Availability information must be available Tip: Know when needed Three Compliance controls must ensure

4/19/12

Chapter 8 Information Security

To mitigate risks of an attack use

Detective Controls

Log analysis Intrusion detection software Security testing and audits Management reports

Preventive Controls Detective Controls Corrective Controls

Preventive Controls

Corrective Controls

Training User access controls such as authentication and authorization

4/19/12

Computer incident response team (CIRT) Chief Information Security Officer (CISO) Patch management

Physical access controls

Chapter 9 Encryption

Encryption is a preventive control that can be used to protect both the confidentiality and privacy Encryption is the process of transforming normal content called plain text to unreadable gibberish, call ciphertext. Decryption reverses this process

4/19/12

Chapter 9 Encryption

Three factors determine the strength of the encryption

key length longer keys provide stronger encryption by reducing the number of repeating blocks encryption algorithm are designed to resist brute-force guessing techniques policies for managing the cryptographic keys the most vulnerable aspect of the encryption system hence cryptographic keys must be stored very securely

4/19/12

Chapter 9 Encryption

Cryptographic keys must be stored securely and protected with strong access controls. Best practices include not storing cryptographic keys in a browser or any other file that others users of that system can readily access and using a strong and long passphrase to protect the keys Organizations must have a way to decrypt data in the event the employee who encrypted it is no longer with the organization

Use software with a built in master key Use key escrow make copies of all encryption keys and used by employees and store these copies securely

4/19/12

Chapter 9 Encryption

Types of Encryption Systems

Symmetric Encryption use the same code to encrypt and decrypt (DES and AES are examples) Asymmetric Encryption different system to encrypt an decrypt public key and private key (RSA and PGP) Symmetric encryption is faster but it is less secure Hashing

takes plain text of any length and splits it into a short code called a hash hashing algorithms will not recreate the document in the original plain text format Good for verifying that the contents of a message have not been altered

4/19/12

Chapter 9 Encryption

Types of Encryption Systems Continued

Digital signatures

Nonrepudiation how to create legally binding agreements that cannot be unilaterally repudiated by either party Use hashing and asymmetric encryption simultaneously Proof that a document has not been altered and proof of who created the file

Digital Certificates

Electronic document that contains and entities public key and certifies the integrity of the owner of that particular public key

Public Key Infrastructure

Issuing pairs of public and private keys and corresponding digital certificates

4/19/12

Chapter 11 Examples of Audit Techniques

Objective 3 - Program Modifications

Source code comparison program Reprocessing data Parallel simulation

Objective 4 Audit Process Controls

Concurrent audit techniques continually monitor the system use embedded audit modules. Types of concurrent techniques are: Integrated test facility (ITF) where a fictitious division is created and transactions are created that will not be included in the corporate results

Snapshot technique where select transactions are tagged with a special code and these are reviewed by internal audit 4/19/12

SDLC

Chapter 20 Systems Development Lifecycle

Systems analysis

Systems Analysis feasibility study and assess information needs Conceptual Design evaluate design alternatives and deliver conceptual design requirements Physical Design develop input, output, database, programs, procedures, controls, deliver the system Implementation and Conversion develop an implementation and conversion plan, install, train, test, convert, deliver an operational system Operations and Maintenance postimplementation review, operate, modify, ongoing maintenance, and improve

Conceptual System Design

Physical Design

Implement ation And Operation Conversion and

Maintenance

The Players
4/19/12

Management, Accountants and Other Users, IS

Chapter 20 Systems Development Life Cycle

Systems analysis

Conceptual System Design

Physical Design

Implementation And Conversion

Operation and Maintenance

4/19/12

Chapter 20 Behavioural Aspects of Change

How People Resist Change

Failure to provide developers with information, tardiness, or subpar performance

Resistance takes three forms

Aggression behaviour that destroys, cripples, or weakens system effectiveness such as increased error rates, disruptions or sabotage

Projection blaming the new system for everything that goes wrong. The criticisms must be controlled and answered, systems integrity can be damaged or destroyed

Avoidance ignoring the system and hoping that it goes 4/19/12

away. Eliminate the options to avoid its use and / or

Chapter 20 Behavioral Aspects of Change

Preventing Behavioural Problems

Obtain Management Support Meet user needs Involve users users who participate are more knowledgeable, better trained and committed Avoid emotionalism Performance evaluations should be reexamined to ensure they are congruent with the new system Keep communication lines open Test the system Control user expectations by being realistic when describing the merits of the system

4/19/12

Chapter 22 Systems Design, Implementation, Operation

Systems Physical Design

The conceptual design is translated into detailed specifications that are used to code and test the computer programs Hardware implementation and upgrades are part of this process

Systems Implementation

The plan consists of implementation tasks, expected completion dates, cost estimates, and who is responsible for each task People must be hired/transferred to meet the business requirements

Prepared systems development documentation, 4/19/12 operations documentation, and user documentation