IT GOVERNANCE COURSES FOR CIO

COMPUTER RISKS AND EXPOSURES

“Control” comprises all the elements of an organization (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organization’s objectives. Control is “effective” to the extent that it provides reasonable assurance that the organization will achieve its objectives reliably. Leadership involves making choices in the face of uncertainty. “Risk” is the possibility that one or more individuals or organizations will experience adverse consequences from those choices. Risk is the mirror image of opportunity.¹

All entities encounter risk regardless of their size, structure, nature, or industry. In common with this, all business decisions involve elements of risk including such elements as financing, product lines or sources, and methods of supply.

All businesses, products, and processes involve some degree of risk. Risk management involves assessing a product, process, or business by:

• Identifying processes
• Identifying the types of risks associated with each process
• Identifying the controls associated with each process
• Evaluating the adequacy of the system of control in mitigating risk
• Determining the key controls associated with each process
• Determining the effectiveness of the key controls

Three types of risk are normally considered when using a risk-based audit approach. They are inherent risk, control risk, and audit risk.

Inherent Risk

Inherent risk is the likelihood of a significant loss occurring before taking into account any risk-reducing factors. In evaluating inherent risk, the auditor must consider what are the types of and nature of risks as well as what factors indicate a risk exists. To achieve this the auditor must be familiar with the environment in which the entity operates.

Control Risk

Control risk measures the likelihood that the control processes established to limit or manage inherent risk are ineffective. In order to ensure that internal audit evaluates the controls properly, the auditor must understand how to measure which controls are effective. This will involve identifying those controls that provide the greatest degree of assurance to minimize risks within the business. Control effectiveness is strongly impacted by the quality of work and control supervision.

Controls in business operations provide the major line of defense against inherent risk. In general, the auditor may assume that stronger controls reduce the amount of risk; however, at some point the cost of control may become prohibitive (in terms of both monetary and staff resources as well as customer satisfaction).

Audit Risk

Audit risk is the risk that audit coverage will not address significant business exposures. Pro-forma audit programs may be developed in order to reduce audit risk. These provide guidance as to which key controls should exist to address the risk, and the recommended compliance and/or substantive test steps to be performed. These programs should be used with care and modified to reflect the current business risk profile.

EFFECT OF RISK

In general, business risks may affect a company’s ability to successfully compete, to maintain financial strength, a positive public image, and ultimately, its ability to survive. Risks will impact the overall quality of an organization’s products, people, or services. Risks cannot be eliminated—only managed.

Auditors have traditionally been tasked with gaining and confirming an understanding of the system of internal control as fundamental to evaluating the adequacy and effectiveness of management’s internal controls. Internal control has been presumed to be a response to business risk. In order to evaluate the effectiveness of risk control measures, the auditor must have a comprehensive understanding of the underlying business risks.

Within a heavily computerized organization, such an understanding requires, initially, a thorough understanding of the business process in order to identify critical processes where less than optimum performance could have severe consequences. In addition, an understanding of the risks inherent within a computerized environment is essential in order to assess the appropriateness and mitigating effects of the control environment.

Such understandings of both the business process and the IT environment imply a collaborative approach because the internal auditor is rarely as knowledgeable about the process as the manager who routinely controls it or the IT staff implementing the IT control environment. By the same token, the management and IT teams who are involved in a business or IT process on a day-to-day basis will normally lack the independent perspective an internal auditor can bring to risk evaluation.

One of the major cornerstones of IS governance is the management of risks. This is increasingly being seen as a strategic issue to be addressed at board level in order to ensure the ongoing viability of the organization because failure within IS can have a catastrophic effect on the organization.

For many business executives, understanding the risks relating to the use of IS remains a challenge. In some cases, this results from a basic lack of understanding of the uses and potential abuses of such information systems. Many executives derive their understanding of IS risk from the popular media, who tend to focus on risk areas of high visibility and human interest and neglect the underlying flaws in control strategies that allowed those risks to materialize.

Elimination of risk is neither possible nor desirable because it is by careful management of risks that organizations achieve their objectives. The risk of not using IT in an appropriate way is as great as or possibly greater than the risk of the existing technology failing or being penetrated.

Because of the increasingly complex business environment coupled with the growth in the use of advanced technological solutions, the management of information risks has become one of the most challenging areas within which management must operate. Conducting business, particularly at an international level, requires the demonstration of high levels of good governance. As a result of this requirement for good governance, organizations place a growing emphasis on enterprise risk management (ERM).

Enterprise risks come in a variety of forms including operational, financial, and systemic risk. Within these, technology risk and the risk of failures with an information security are critical.

COSO has defined the ERM Framework as encompassing:

• “Strategic. High level goals, aligned with and supporting its mission
• Operations. Effective and efficient use of its resources
• Reporting. Reliability of reporting
• Compliance. Compliance with applicable laws and regulations”²

As can be seen, IS plays an important role in all of these areas. As such, IS risks could be defined as:

• Strategic. The risk that IS either developed in-house or purchased are not aligned with the organization’s goals and do not support the achievement of its mission.
• Operations. The risk that the information systems in use by the organization impose unacceptable overheads on the organization or result in sub-optimal service levels. At the same time, the dependency of organizations on the information systems means that unavailability of those systems within appropriate timescales can also prove a major operational risk.
• Reporting. The risk that IS cannot be relied on to produce information in an accurate, complete, and timely manner.
• Compliance. The risk that IS, in themselves, lead to breaches of laws and regulations with a result of losses to the organization, either financial or in reputation.

AUDIT AND RISK

The Institute of Internal Auditors (IIA) Practice Advisory 2100-6: Control and Audit Implications of E-commerce Activities highlights the challenges facing internal auditors in organizations that increasingly use IT in business operations and provides guidance as to the role and responsibilities of internal audit.

Continuous changes in technology offer the internal auditing profession both great opportunity and risk. Before attempting to provide assurance on the systems and processes, an internal auditor should understand the changes in business and information systems, the related risks, and the alignment of strategies with the enterprise’s design and market requirements. The internal auditor should review management’s strategic planning and risk assessment processes and its decisions.³

It is the responsibility of operational management to identify, assess, and manage risk. It is IS Audit’s responsibility to assist management in this process by facilitating the identification and assessment of risk and by assisting management monitor how well risks are actually being managed by the business.

Many organizations do not have the resources available to identify, analyze, and control all business risks from an IS perspective. Implementing a formal risk assessment process assists by providing a consistent method for selecting high-impact risks on which to focus audit resources.

During the risk assessment, IS Auditors develop an understanding of the operation’s business in order to facilitate the identification and assessment of significant risks to and from the information systems. This assessment is then used to allocate audit resources to areas within the organization that provide executive management and the Audit Committee with the most efficient and effective level of audit coverage.

Auditors must always keep in mind that individual managers have differing attitudes toward risk. Some managers or even organizations see the acceptance of risk as fundamental to the making of profits, whereas others are highly risk-averse and consider reducing risk a fundamental component of the business. This is referred to as risk tolerance. Unless the auditor understands this concept, it is likely that management and auditors will talk at cross purposes on risk and that audit recommendations may be deemed impractical or unacceptable.

Based upon the individual risk positions adopted, companies will have many different risk mitigation interventions, such as insurance coverage, financial instruments, compliance, and internal audit functions. Management must understand that internal audit does not replace management’s responsibility to control its own risk to acceptable levels.

Risks themselves are commonly categorized based on the organization’s response, thus:

• Controllable risks. Risks that exist within the processes of an organization and that are wholly in the hands of the organization to mitigate.
• Uncontrollable risks. Risks that can arise externally to the organization and that cannot be directly controlled or influenced but that nevertheless call for a risk position to be taken by the organization.
• Influence able risks. Risks that arise externally to the organization but that can be influenced by the organization.

AUDIT EVIDENCE

IS Auditors are frequently expected to express an opinion on the adequacy and effectiveness of internal controls in mitigating risk. For this the auditor must gather audit evidence. Evidence may be defined as information intended to prove or support a belief. Individually, items of evidence may be flawed by a personal bias or by a potential error of measurement and each piece may be less competent than desirable so the auditor will look in total at the “body of evidence,” which should provide a factual basis for audit opinions.

RELIABILITY OF AUDIT EVIDENCE

Audit evidence may be classified as:

• Sufficient. Factual, adequate and convincing such that a prudent person would reach the same conclusions as the auditor
• Competent. Reliable and the best attainable through the use of appropriate audit techniques
• Relevant. Supports audit findings and recommendations and is consistent with the objectives for the audit
• Useful. Helps the organization meet its goals

Evidence, for the IS Auditor, is frequently thought of as being obtained by direct interrogation of computer data files. Although this is a common technique, evidence may also be obtained by observing conditions, interviewing people, and examining records. Such evidence is typically classified as:

• Physical evidence. Generally obtained by observation of people, property, or events, and may be in the form of photographs, maps, and so on. Where the evidence is from observation, it should be supported by documented examples or, if not possible, by corroborating observation.
• Testimonial evidence. May take the form of letters, statements in response to inquiries, or interviews, and are not conclusive in them selves because they are only another person’s opinion. They should be supported by documentation where possible.
• Documentary evidence. The most common form of audit evidence and includes letters, agreements, contracts, directives, memoranda, and other business documents. Such documented evidence may also be derived from computerized records using the appropriate audit tools and techniques. The source of the document will affect its reliability and the trust we place on it. The quality of internal control procedures will also be taken into account.
• Analytical evidence. Commonly derived from computations, comparisons to standards, past operations, and similar operations. Once again, in this area, computerized tools will normally prove a highly effective aid to the auditor. Regulations and common reasoning will also produce such evidence.

It is worth noting that a common concept within the gathering of evidence, namely “materiality,” may differ among the varying types of audit. For financial auditing, materiality is generally taken to be a sum of money and is used to determine levels of significance in assessing audit evidence. From an internal audit perspective, materiality relates rather to weaknesses or failures within the internal control structures of the organization. Any evidence, however small, indicating a failure within a major control relied upon by management would be deemed significant evidence.

AUDIT EVIDENCE PROCEDURES

The auditor relies heavily on gathering evidence. This is done in a variety of ways and follows the Audit Program. The Audit Program is a set of detailed steps that the auditor will follow in order to gain the appropriate evidence and, for the IS Auditor, may well include the use of computerized techniques, although this is not always the case.

The actual program used will vary from audit to audit depending on what the auditor wishes to find out and must always include a degree of flexibility to allow for changes based on the evidence already acquired. For example, the auditor may wish to examine data files in order to determine that the printouts relied upon by management match the live data files. In such a case, the use of computer-assisted tools and techniques would be appropriate. In a different scenario, an auditor wishing to examine the authorization of transactions may use such tools to do extractions of records in order to do a follow-up on the documentary evidence of original documents seeking authorize signatures.

In gathering evidence, auditors must ensure that they maintain an independent and objective attitude both in fact and in appearance. Such independence is normally taken to be in jeopardy when an auditor is charged with auditing an area where there has been line responsibility within the previous year. Many auditors interpret this as indicating that they cannot be too detailed in making recommendations because this would preclude their conducting subsequent audits due to a perceived lack of independence and objectivity. This may indeed be the case, and both management and auditors must understand that, where detailed assistance is given in designing audit implementing control structures, the auditor is functioning primarily as an internal control consultant. Subsequent auditing of these structures should be done independently of the consultant.

RESPONSIBILITIES FOR FRAUD DETECTION AND PREVENTION

It must be clearly understood that the primary responsibility for the prevention and detection of all frauds, including IS frauds, is the responsibility of operational management. Nevertheless, the auditor has a role to play in assisting management in establishing a control environment in which fraud is unlikely to occur, but where it does occur, it will be quickly detected.

This contrasts to the approach of the forensic auditor whose primary obligation is the resolution of fraud with sufficient proof to prove or disprove allegations of fraud. Forensic auditors must presume that all cases eventually will end up in litigation and the quality of evidence gathered must take this into account.