IS AUDIT PROCESS - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

IS AUDIT PROCESS

Description:

Controls which are countermeasures to vulnerabilities are generally of ... Controls that detect and report the occurrence of error, omission or malicious acts. ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 15
Provided by: Aij9
Category:

less

Transcript and Presenter's Notes

Title: IS AUDIT PROCESS


1
IS AUDIT PROCESS
  • LECTURE III

2
Risk Analysis
  • Finally, risk analysis is an assessment carried
    out to
  • Identify a companys assets
  • Assign values to assets.
  • Identify the assets vulnerabilities and possible
    threats to them internally and externally.
  • Calculate the associated risks when the
    identified threats have the possibilty of
    exploiting the assets vulnerabilities.
  • Estimate potential loss and damages accruing from
    a possibility of the above.
  • Proffer and provide solutions.

3
Actual Value of an asset.
  • The actual value of an assets is made of tangible
    and intangible costs. To calculate the actual
    value of an asset the followings have to be
    reviewed and monetary value equated to them.
  • Cost of acquiring the assets.
  • Cost of replacing the assets when damaged or lost
  • Cost of developing the asset if it is not to be
    acquired.
  • Role of the asset in the organization ie value
    added to the organization by its presence.
  • The amount competitors/adversaries are ready to
    pay so as to acquire the assets.
  • Cost of maintaining and protecting the assets.
  • Production and productivity losses that may
    result from a compromise or total loss of the
    assets.
  • Liability of the organization if the asset is not
    properly protected by the organization.

4
Controls
  • Control is anything that monitors or helps to
    modify a system so that the system can achieve
    some level of predicted (desired) and acceptable
    stability.
  • It will include the policies, procedures and
    practices (tasks and activities) usually
    established by top management.
  • Internal controls therefore are the processes put
    in place by management to provide reasonable
    assurance that specific pre-defined business
    objectives will be achieve while ensuring that
    risk events are prevented detected and/or
    corrected.

5
Control Categories
  • Controls which are countermeasures to
    vulnerabilities are generally of four types
  • Deterrent Controls reduce the likelihood of a
    deliberate attack.
  • Examples include
  • Barricading a building.
  • Putting up signs notifying intruders knowledge of
    their activities.

6
Control Categories cont
  • Preventive controls protect vulnerabilities and
    make an attack unsuccessful or reduce the impact
    of the attack.
  • They inhibit an attempt to violate security
    policy.
  • Can detect problems before they arise.
  • Monitor both operations and input.
  • Attempt to predict potential problems.
  • Prevent an error, omission or malicious act from
    occurring.
  • Examples include
  • Segregation of duties
  • Using access control software.
  • Employing encryption
  • Establishing suitable authorization procedures.

7
Control Categories cont
  • Corrective Controls reduce the effect of an
    attack or where possible, remove it entirely.
  • It comes to play after an event or attack.
  • Remedy problems discovered by detective controls
  • Identify the cause of a problem.
  • Correct errors arising from a problem.
  • Modify the processing system(s) to minimize
    future occurrences of the problem.
  • Examples include
  • Contigency planning
  • Back-up procedures
  • Rerun procedures

8
Control Categories cont
  • Detective Controls discover attacks and trigger
    preventive or corrective controls.
  • Controls that detect and report the occurrence of
    error, omission or malicious acts.
  • Warn of violations or attempted violations of
    security policy.
  • Examples include
  • Audit trails.
  • Intrusion Detection Methods eg IDS
  • Internal Audit functions.
  • Review of logs.
  • Duplicate checking of calculations

9
Control Objectives.
  • Control objectives are statements of the desired
    and expected achievement of implementing control
    activities or procedures.
  • Control objectives in an IS environment remain
    unchanged from hose of a manual environment but
    their implemntation may be different.

10
Internal Control Objectives
  • We will look at controls related to the
    technology environment like
  • Internal accounting Controls operations for
    safeguarding assets and the reliability of
    financial records.
  • Operational Controls to ensure that operations
    are meeting business objectives.
  • Administrative controls supporting operational
    controls that are specifically concerned with
    operating efficiency and adherence to
    organizational policies.

11
IS Control Objectives
  • There is need to ensure that internal controls
    are addressed in a manner relevant to specific
    IS-related processes.
  • Examples may include
  • Safeguarding assets from improper access and
    current.
  • Ensuring the integrity of the general Operating
    System.
  • Ensuring integrity of sensitive and critical
    application system environments.
  • Ensuring appropriate identification and
    authentication of IS resources users.
  • Ensuring efficiency and effectiveness of
    operations.
  • Ensuring availability of IT services.

12
COBIT
  • It is a high-level process model that organizes a
    broad range of IT activities in 34 processes. As
    a single source of good practice, it provides a
    uniform structure to understand, implement and
    evaluate IT capabilities, performance and risk
    with the primary goal of satisfying business
    requirements.
  • It consist of a selection of popular management
    tools and techniques described in an IT
    management context.
  • It sets out the scope and defines what IT
    activities in a particular area of IT should be
    accomplished and this is largely harmonized with
    other popular frameworks that cross-reference to
    the same subject area.

13
COBIT cont
Business
REQUIRMENTS
INFORMATION
IT PROCESSES
CONTROLLED BY
Control Objectives
MEASURED BY
MADE EFFECTIVE AND EFFICIENT WITH
AUDITED BY
IMPLEMENTED WITH
TRANSLATED INTO
CONTROL PRACTICES
ACTIVITY GOALS
AUDIT GUIDLINES
FOR MATURITY
FOR PERFORMANCE
FOR OUTCOME
KEY PERFORMANCE INDICATORS
MAURITY MODELS
KEY GOAL INDICATORS
COBIT 4.0 DETAILED CONTROL OBJECTIVES
14
COBIT cont
  • As earlier indicated, it organizes IT activities
    in 34 process split into 4 domains that follow
    the PDCA. The 4 domains are
  • Plan and Organize.
  • Acquire and Implement.
  • Deliver and Support.
  • Monitor and Evaluate.
  • It has as much weaknesses as it has strength
    significant of which is that it is more suited as
    an ASSESSMENT tool rather than an IMPLEMENTATION
    tool.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IS AUDIT PROCESS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!