Week 06 – Risks and Controls; A Deeper Dive
CISA Review Manual:
- Section 1.4 IS Controls. This includes all subsections except 1.4.4 COBIT 5.
Article for Discussion:
- “Preparing for Auditing New Risk, Part 1“, by Ed Gelbstein, Ph.D
The underlying assumption of many articles and discussions regarding IS and General controls is that there is an IT organization (or function) that has a reasonable level of control over the IT assets (data, hardware, software, services…) of the enterprise. (You may want to also read Tommie Sincleton’s article “The Core of IT Auditing“). But things have changed significantly in the last few years.
Consider the following: mobile technology has blurred the lines between personal and work spaces; services offered by internal IT organizations are now easily procured on the cloud… usually without the need of IT intervention.
Question: What challenges do you think these present in terms of governance (IT governance) and risk optimization?
Week 05 – Wrap up
Class Video: Week 05 – IT Risks and Controls
Class Slides: Week 05 – IT Risk and Controls
Risk Assessment Worksheet: Risk Assessment
This week we learned a few things about the concept of Risk and its relationship to audit and assurance. We learned that:
- Risk is expressed as the product of its impact that the probability of it occurring (R=IxP)
- Risk can be measured quantitatively and qualitatively, each having advantages and disadvantages
- The measure of Risk will always have some level of subjectivity.
We also learned about:
- Inherent Risk
- Residual Risk
- Control Risk
- Detection Risk
- Sampling Risk… although this I mentioned in passing… we will get back to this when we talk about sampling.
For illustration purposes we went through a fairly simply exercise to quantify Risk using All World Airways as an example. We then used the same Risks and assessed them qualitatively.
We ended our session after a quick – very quick – introduction to Controls. Both Risk and Controls are very important so we will spend next week digging a little deeper into these.
Have a great week.
Week 04 – Wrap Up
Class Video: Not Available. We conducted this class entirely online and there was no video capture.
Class Slides and Mindmap: Week 04-Laws Regs and Vendor Management.pptx
There are many factors to take into account to determine the scope of an audit assurance initiative. It requires
- Identifying all the Stakeholders and their stake. These are what drive the engagement
- Determining the objectives of the engagement based on internal and external environmental factors
- Identifying the enablers in scope to obtain the most comprehensive scope for the assurance engagement
You will find more information Scoping in Section 2B, Chapter 3 – Determine Scope of the Assurance Initiative – of COBIT 5 for Assurance.
The link above is for the class slides and the mind map we drew during class. Mind mapping is a great way to break down a subject – scoping the assurance initiative – or ideas into smaller concepts or steps. It is a great tool for brainstorming. If you liked to tool I used – XMind – there’s a free version you can use. Google “mind mapping software” and you’ll get a few hits.
I’ll post reading assignments for our next class sometime tomorrow.
Week 03 – Discussion Question 2
Technology changes at mind-boggling speeds, and it greatly affects businesses and enterprises. What do you consider to be more important, depth of knowledge in technology, or its impact on the enterprise?
Week 03 – Discussion Question 3
The articles selected for this week are mostly focused on the soft skills required for our profession. After all, we are working with people, even thought we are IT Auditors. There are plenty of opinions regarding the so-called “Millennial” generation. This the generation you will most likely be working with as you mature in your career. How do you think the Audit and Assurance profession will benefit from their contributions?
Week 03 – Discussion Question 1
Dr. Ed Glebstein, Ph.D. lists and describes in his article “Is There Such a Thing as a Bad Auditor” a number of “Auditor Types” with the intent of helping readers recognize possible weaknesses in themselves.
Which one of these do you consider the worst type from the standpoint of the auditee? Why? The auditee is the person or group responsible for the subject matter being audited.
Week 03 – Readings for Discussion
Articles:
- “Is There Such a Thing as a Bad IS Auditor” Ed Gelbstein, Ph.D.
- “Perspectives From a Seasoned Practitioner” Ed Gelbstein, Ph.D.
- “The Soft Skills Challenge Part-2” Ed Gelbstein, Ph.D.
Week 02 – Wrap Up
Class Video: Week 02 – Principles and COBIT
Class Slides: Week 02 Class Slides
This week was all about context. We learned about our role as IT audit professionals by taking apart the definition of Assurance:
- It requires an accountability relationship; one party is accountable to a one that sets direction. Management is accountable to the directors.
- It results in a conclusion expressed in writing regarding the results of an audit engagement (a formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met).
We also spoke – briefly – about the guiding principles codified in the ISACA Code of Professional Ethics which guide the professional and personal conduct of ISACA members and certification holders. The Code of Professional Ethics warrants more than a brief mention so expect to hear more in our next session.
Finally, we discussed the structure of ITAF… but there’s more to come on this as well.
I’ll be posting more in the coming days. Have a great week.