Example: confidence

Information Technology Risk and Controls

IPPF Practice Guide Information Technology Risk and Controls 2nd Edition 120366 1 3/28/12 2:18 PM. B. A. h d 1. t u d T. a p A. T. C. Cop 120366 2 3/28/12 2:18 PM. Global Technology Audit Guide (GTAG ) 1. Information Technology Risk and Controls 2nd Edition March 2012. 120366 1 3/28/12 2:17 PM. 120366 2 3/28/12 2:17 PM. GTAG Table of Contents Executive 1. 2. Introduction to the Basis of IT-related Business Risks and 3. Internal Stakeholders and IT 4. Analyzing 5. Assessing IT An 6. Understanding the Importance of IT 7. IT Audit Competencies and 8. Use of control 9. 10. Authors & 11.

ners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In today’s global market and regulatory environment, these things are too easy to lose. A CAE can use this guide as a foundation to assess an organization’s framework and

Tags:

  Ners

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Advertisement

Transcription of Information Technology Risk and Controls

1 IPPF Practice Guide Information Technology Risk and Controls 2nd Edition 120366 1 3/28/12 2:18 PM. B. A. h d 1. t u d T. a p A. T. C. Cop 120366 2 3/28/12 2:18 PM. Global Technology Audit Guide (GTAG ) 1. Information Technology Risk and Controls 2nd Edition March 2012. 120366 1 3/28/12 2:17 PM. 120366 2 3/28/12 2:17 PM. GTAG Table of Contents Executive 1. 2. Introduction to the Basis of IT-related Business Risks and 3. Internal Stakeholders and IT 4. Analyzing 5. Assessing IT An 6. Understanding the Importance of IT 7. IT Audit Competencies and 8. Use of control 9. 10. Authors & 11.

2 Appendix: IT Control Framework 1. 120366 1 3/28/12 2:17 PM. GTAG Executive Summary Executive Summary This GTAG helps chief auditing executives (CAEs) and internal auditors keep pace with the ever-changing and sometimes complex world of IT by providing resources written for business executives not IT executives. Both management and the Board have an expectation that the internal audit activity provides assurance around all-impor- tant risks, including those introduced or enabled by the implementation of IT. The GTAG series helps the CAE. and internal auditors become more knowledgeable of the risk, control, and governance issues surrounding Technology .

3 The goal of this GTAG is to help internal auditors become more comfortable with general IT Controls so they can talk with their Board and exchange risk and control ideas with the chief Information officer (CIO) and IT management. This GTAG describes how members of governing bodies, executives, IT professionals, and internal auditors address significant IT-related risk and control issues as well as pres- ents relevant frameworks for assessing IT risk and Controls . Moreover, it sets the stage for other GTAGs that cover in greater detail specific IT topics and associated business roles and responsibilities.

4 This guide is the second edition of the first installment in the GTAG series GTAG 1: Information Technology Controls which was published in March 2005. Its goal was, and is, to provide an overview of the topic of IT-related risks and Controls . 2. 120366 2 3/28/12 2:17 PM. GTAG Introduction Who is responsible? Everyone. However, control 1. Introduction ownership and responsibilities must be defined and disseminated by management. Otherwise, no one is The purpose of this GTAG is to explain IT risks and Controls responsible, and results could be quite severe. in a format that allows CAEs and internal auditors to under- stand and communicate the need for strong IT Controls .

5 It is When should IT risks and Controls be assessed? organized to enable the reader to move through the frame- Always. IT is a rapidly changing environment that work for assessing IT Controls and to address specific topics promotes process and organizational change. New based on need. This GTAG provides an overview of the risks emerge at a rapid pace. Controls must present key components of IT control assessment with an emphasis continuous evidence of their effectiveness, and that on the roles and responsibilities of key constituents within evidence must be assessed and evaluated constantly.

6 The organization who can drive governance of IT resources. How much control is enough? Management must Some readers already may be familiar with some aspects of decide based on risk appetite, tolerance and manda- this GTAG, but some segments will provide new perspectives tory regulations. Controls are not the objective;. on how to approach IT risks and Controls . One goal of this Controls exist to help meet business objectives. GTAG, and others in the series, is that IT control assess- Controls are a cost of doing business and can ment components can be used to educate others about what be expensive, but not nearly as expensive as the IT risk and Controls are and why management and internal possible consequences of inadequate Controls .

7 Audit should ensure proper attention is paid to fundamental IT risks and Controls to enable and sustain an effective IT. control environment. IT Controls are essential to protect assets, customers, part- ners , and sensitive Information ; demonstrate safe, efficient, Although Technology provides opportunities for growth and and ethical behavior; and preserve brand, reputation, and development, it also represents threats, such as disruption, trust. In today's global market and regulatory environment, deception, theft, and fraud. Research shows that outside these things are too easy to lose.

8 A CAE can use this guide attackers threaten organizations, yet trusted insiders are a as a foundation to assess an organization's framework and far greater threat. Fortunately, Technology also can provide internal audit practices for IT risk and control, compliance, protection from threats, as this guide will demonstrate. and assurance. It also can be used to meet the challenges Executives should know the right questions to ask and what of constant change, increasing complexity, rapidly evolving the answers mean. For example: threats, and the need to improve efficiency. Why should I understand IT risks and Controls ?

9 Two words: assurance and reliability. Executives IT Controls do not exist in isolation. They form an inter- play a key role in assuring Information reliability. dependent continuum of protection, but they also may be Assurance comes primarily from an interdependent subject to compromise due to weak links. IT Controls are set of business Controls as well as from evidence that subject to error and management override, range from Controls are continuous and sufficient. Management simple to highly technical, and exist in a dynamic envi- must weigh the evidence provided by Controls and ronment.

10 IT Controls have two significant elements: the audits and conclude that it provides reasonable automation of business Controls (which support business assurance. management and governance) and control of the IT envi- ronment and operations (which support the IT applications What is to be protected? Trust should be protected and infrastructures). The CAE needs to consider and assess because it ensures business and efficiency. Controls both elements. The CAE may view the automated busi- provide the basis for trust, although they often ness Controls as those Controls where both business and IT.


Related search queries