INFORMATION TECHNOLOGY RISK

FRAMEWORKS & AUDITS

Presented by: Tauyanago Piason

CIA, CHFI, SAP (SCM), SAP (AUDITING), ISO 27001 (LEAD IMPLEMENTER)
 Module Objectives
• Explore the Information Technology (IT) Risk Landscape
• Relate IT Risk Assessment and Governance Frameworks
• Share Experience on IT Auditing
• Relate IT Assurance and International Professional Practice Frameworks
 IT Risk Landscape – 4 IR - D-VUCA-D
• Emerging technologies of 4IR - Disruptive,Volatile,Unpredictable,Complex, Ambiguous, Diverse
• Fusion of advances in artificial intelligence (AI), robotics, the Internet of Things (IoT),
blockchain, 3D printing, genetic engineering, etc.
• Driven by disruptive trends including the rise of data (big data) and connectivity, analytics,
human-machine interaction, and improvements in robotics.
• Collective force behind many products and services that are indispensable to modern life.
• Cloud may eliminate the need for other hardware (servers) and software (licensing issues), saving
you money and keeping data more accessible. However, there are risks associated with remote
locations
• Perceived cloud confidentiality breach and outsourcing risks require robust contract management
systems
• In the cloud digital footprints are numerous making it difficult to relate assets to specific
processes.
• Overlooking some attack vectors places cloud-based platforms at a higher risk of cyberattacks.
• digital footprint mapping and attack surface monitoring can be used to identify corporate assets
and surface potential risks and vulnerabilities.
 Cybersecurity Risks Prompted by COVID-19
• COVID-19 pandemic forced organizations into a remote operating model
• At the start of the pandemic, the challenge was to protect devices and systems
• Vulnerability as staff work outside of corporate firewalls.
• Malicious cybercriminals taking advantage and conduct phishing attacks and disinformation
campaigns. 
• Phishing attacks using email and bogus websites to trick victims into revealing sensitive
information.
• Disinformation campaigns to spread discord, manipulate public conversation, influence policy
development, or disrupt markets. 
• Need for investment in digital capability and innovations
• IT security team reminders and training on security, monitoring systems, and timeliness of
response to security incidents.
 IT Risk Landscape
Disruption is the norm in the world of business
•Technological, political, economic, socio-cultural
•Wars – E.G Russia Ukraine war, use of technology, impact on global supply chain
•Natural disasters - earthquakes, floods, may present a prolonged network outage
•Disruptive innovation usually involves a startup disrupting an established player
using technology as a competitive advantage or key success factor.
•Disruption of an event, a system, or a process may result in discontinuity,
suspension or reversal of the status quo.
•Adoption through virtual auditing, use of e-mails, virtual meetings, document
management systems etc needed
 IT Risk Landscape
• Desirable transformation – maximise benefits
 Embrace new technologies and implement innovative ways of working
 Develop new business markets and models,
 Generate efficiencies through automation, and
• Undesirable transformation – Mitigate risks
 Number of possible entry points for attackers increases,
 Availability of confidential information and opportunities to cause damage.
 lack of adequate relevant skills, expensive technologies, and negative perceptions -
fear of job loss
 Business continuity, cyber and information security threats call for organisational
agility and dynamism to keep up with digital threats.
 Increased complexity, which makes identifying and managing risks more difficult.
 IT Risk Landscape
• The risks presented by technology are a double-edged sword.
• Effectively manage the rapidly changing technological environment through
 implementing technology and tools that directly respond to opportunities and threats
 in-depth insights,
 enhanced capabilities and rapid processing speeds to plan for disruption
 stay one step ahead of any threats.
• E.G. - Identifying an impending denial of service attack allows for introduction of preventive
measures that disarm attacker before any major damage has occurred.
• Proactive approach reduces financial and operational setbacks, fostering business continuity
across every level of the organisation.
• The challenge for risk management professionals is to overcome any disconnect between their
role and the available technology.
• IT risks include hardware and software failure, human error, spam, viruses and malicious
attacks, as well as natural disasters such as fires, cyclones or floods
 Risks related to the IT environment
To manage IT risks, auditors need to:
a)Understand the purpose of an IT control and its significance to enterprise-wide controls
b)Balance the risk and control requirements - Pervasive risks affect the entire organisation whilst specific
risks affect an identified process.
•Automation reduce risks in manual systems & introduce risks that were not in the manual environment.
a)Elimination of physical documents (Paperless office) - data trail Vs physical paper trail.
b)Legislation changes to cater for Original digital evidence in prosecution cases.
c)Duties less segregated as automation may reduce personnel
d)Deliberate harmful acts by hackers e.g child pornography, ransomware, denial of service, unauthorised
transfer of funds (Fraud or Theft)
e)Health and safety (Light & Heat emission)
f)The cost of running obsolete (outages and data breaches ) and unsupported technology can be high.
g)At the end-of-life of technology, there are challenges such as integration issues, limited functionality,
low service levels, lack of available skills, and missing support from vendors. .
Business impact of technology obsolescence
.
 Risks related to data
• Information risk - inaccurate information used to make business decisions.
• Systematic errors - due to faulty code or configuration, duplications at master data or data
input stage.
• Unauthorised access due to remote logging and hacking.
• Costly loss of data - due to hardware failure, and power outages, environmental factors.
• Poor design of software controls.
• Master data may lack integrity due to delays in updates.
• Shared data between systems and availability of evidence only in electronic formats increase
the potential IT risks.
• Mobile devices privacy complicated to manage and most vulnerable as they are the most used.
• Countermeasures on mobile devices include Two-Factor Authentication, Mobile Equipment
Identity e.g. IMEI code  (*#06#) and Central Equipment Identity Register (CEIR) for tracking
 2022 World Economic Forum Global Risks Report
• About 95% of cyber-attacks can be traced back to human negligence or human-based attacks
• A security system is as strong as its weakest link: and in Information Security, that link is the
human factor.
• Employees present an elevated risk for corporations’ information resources.
 Threat agents
• Malicious Hackers, Novices (Kiddie Scripters), Hacktivists
• Organized crime, Terrorists
• Insiders (including system administrators and developers),
• Nation/States
 Real Time Threat Intelligence
• Gather  vulnerability velocity and volume, exploit data, fixes and patch information
• Experimenting – Penetration testing, ethical hacking 
• Predictive modelling - helps you anticipate and annihilate future threats.
KPMG Technologhy risk Management Survey 2022
• 72% of organizations bring tech risk teams into projects once technology risk issues have
already appeared and
• 47% adopt technologies such as mobile apps and devices without even including them in risk
assessments 
• Technology risk management needs to evolve to be prepared for the new, fast-paced and
disruptive world.
• Many organizations operating in the digital age do not consider technology risk as a value
center and still remain stuck in traditional, compliance-focused approaches to technology risk
that don’t offer the best control of technology assets, processes, and people
• Characterised by static qualitative measurement, reactive risk decisions and a lack of
innovation.
The Enterprise Architect of Tomorrow [White Paper]: Practical insights on how to become data-driven, agile-minded, and
forward thinking. »
 Progress through sharing
.
 IT Risk, Control and Governance Frameworks
Enterprise Governance of Information Technology (EGIT) frameworks
IT Service Management (ITSM)
 Information Technology Infrastructure Library (ITIL)
COSO Control and Risk Management Framework IT Principles
Control Objectives for Information and Related Technology (COBIT)
National Institute of Standards and Technology (NIST)
International Standards Organisation - ISO 27001, ISO 31000:2009
 EGIT SYSTEM PRINCIPLES
.
 Enterprise Governance of Information Technology (EGIT)
• Developed to protect the integrity of information assets, deliver value to stakeholders through
governance and management of IT, by aligning strategic objectives with operational objectives.
• Maximise value through synergy in the overall enterprise governance hierarchy. All stakeholders,
including the board, senior management, internal customers and departments, provide input into the IT
decision-making process.
• Stewardship of IT resources on behalf of internal and external stakeholders. The board of directors direct
management to implement IT systems and controls.
• IT enabler of exploiting opportunities and maximising benefits. IT resources and risk to be managed
• Implement practices that provide feedback on value delivery and risk management. Broad processes are:
• IT resource management—Maintaining an inventory of IT resources and addresses risks
• Performance measurement— Performance indicators are optimized for value delivery. Deviation result
in early detection of risk.
• Compliance management—Focuses on implementing processes that address legal and regulatory policy
and contractual compliance requirements
Enterprise Governance Framework
 IT SERVICE MANAGEMENT (ITSM)
• Based on principles of customer focus, quality, continual improvement, process
refinement, and cultural mind-set reorientation to attain desired business
outcomes
• Enables maximisation of business value and positions IT services as a means of
delivering value
• Incorporates various management approaches such as lean manufacturing, change
management, system analysis and risk management.
• Works across the lifecycle of a service, from the original strategy, through design,
transition and into live operation.
• Establishes a set of practices constituting sustainable quality IT service
management system.
Information Technology Infrastructure Library (ITIL)
• Most adopted and recognized body of knowledge for ITSM.
• Practice guidance can be used in setting up SLAs for Hardware, Software,
and Network resources to maintain uninterrupted operation through controls,
incident handling and auditing.
• Describe processes organized around five service lifecycle stages.
• Service Strategy,
• Service Design,
• Service Transition,
• Service Operation, and
• Continual Service Improvement
.

.
 COSO - Control Environment
Principle 2: Oversight of the development and performance of internal control.
•IT Steering Committee understanding of relevant systems and technology
•Skills and expertise to evaluate the organization’s approach to managing
opportunities and risks on new technology innovations & critical systems
Principle 3: Structures
•Technology is leveraged to create workflow and information flows within and
across the overall entity and its subunits
Principle 4: Competence of staff
•knowledge of the operation of technology platforms underpinning the business
processes
 COSO - Risk Assessment
Principle 8: Fraud risks
•Organization should identify ways that fraudulent reporting can occur, considering nature
of technology and manipulation of information
•Fraud risks may increase due to turnover in technology staff and ineffective technology
systems
Principle 9: New Technology
•When new technology is incorporated into processes internal controls need to be
modified
•A successful IT risk management plan reduces uncertainly and empowers decision-
makers to be completely aware of all information risks in their digital landscape.
•The program minimizes the impact of data breaches, increase resilience to cyberattacks
resulting in cost savings
 COSO - Control Activities
Principle 10: Select and Develop Control Activities to Mitigate Risk
•Consider the entity’s internal control components, business processes, information technology, and
locations where control activities are needed.
•Restricted access is especially important where technology is integral to an organization’s processes or
business.
•Configuring the security in applications to address restricted access can be complex and requires
technical knowledge and a structured approach.
•Technology may be embedded into the entity to supports business processes
•E.G. robotic automation in a manufacturing plant - control activities needed to mitigate the risk that the
technology itself will not continue to operate properly.
•Technology used to automate control activities - Automation can reduce risks in manual systems and
introduce other risks that were not in the manual environment.
.
 COSO – Control Activities
Principle 11 – The reliability of IT within business processes, including automated controls,
depends on selection, development, & deployment of general control activities over IT
I.IT General Controls (ITGCs)
Relate to policies and procedures applied to individual applications and not at transaction level
Include physical and environmental security, logical security, change management, backup and
recovery, incident management and information security
•Application Controls
I.An Embedded, Configurable control that occurs automatically, usually through computer
systems, based on predefined criteria, circumstances, times, dates, or events
II.Apply to each transaction e.g. Edit checks, Validations, Calculations, Numeric range,
Interfaces, Authorizations, Data matching, Error checking, batch control total
COSO – Information & Communication – Principle 13 Quality information
COSO – Monitoring – Principle 16 & 17
.
 COBIT
• Control objectives for information and related technology
• The COBIT framework can be leveraged and adapted.
• Developed to support EGIT by providing a framework to ensure that
a) IT is aligned with the business,
b) IT enables the business and maximizes benefits,
c) IT resources are used responsibly, and
d) IT risk is managed appropriately.
• COBIT provides tools to assess and measure the performance of IT processes within an
organization
• The COBIT framework provides guidance on IT controls that are relevant to the business
• Each process can be classified as fully addressed, partially addressed and not applicable by
comparing the standard COBIT framework to the organization’s reality.
 COBIT- Governance and Management objectives
• COBIT 2019 includes 40 governance and management objectives,
• Clear distinction between governance and management.
• Organized into five domains
 Governance domain
i. Evaluate, Direct and Monitor (EDM)
 Management domains
• Align, Plan and Organize (APO)
• Build, Acquire and Implement (BAI)
• Deliver, Service and Support (DSS)
• Monitor, Evaluate and Assess (MEA)
.
.
National Institute of Standards & Technology
Risk Management Framework
.
 ISO/IEC 27001
• The International Organization for Standardization (ISO)/International Electrotechnical
Commission (IEC)
• ISO/IEC27000 series is a set of best practices that provides guidance to organizations
implementing and maintaining information security programs.
• ISO/IEC 27001 has become a well-known standard in the industry  for information security
management systems (ISMS)
.

.
Information Technology Assurance Framework (ITAF)
1006 Proficiency
1006.1 IT audit and assurance practitioners, collectively with others assisting with the audit and assurance
engagement, shall possess the professional competence to perform the work required.
1006.2 IT audit and assurance practitioners shall possess adequate knowledge of the subject matter to perform their
roles in IT audit and assurance engagements.
1204.3 IT audit and assurance practitioners shall accept only tasks that are within their knowledge and skills, or for
which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task
under supervision.
1008 Criteria
1008.1 IT audit and assurance practitioners shall select criteria, against which the subject matter will be assessed, that
are objective, complete, relevant, reliable, measurable, understandable, widely recognized, authoritative, and
understood by, or available to, all readers and users of the report.
1008.2 IT audit and assurance practitioners shall consider the acceptability of the criteria and focus on criteria that
are recognized, authoritative and publicly available.
ITAF
1201 Risk Assessment in Planning
1201.1 The IT audit and assurance function shall use an appropriate risk assessment
approach (i.e., data-driven with both quantitative and qualitative factors) and
supporting methodology to develop the overall IT audit plan and to determine priorities
for the effective allocation of IT audit resources.
1201.2 IT audit and assurance practitioners shall identify and assess risk relevant to the
area under review when planning individual engagements.
1201.3 IT audit and assurance practitioners shall consider subject matter risk, audit risk
and related exposure to the enterprise when planning audit engagements.
ITAF
IT Auditor Skills and Knowledge
 Risk-based audit planning
• Development of the enterprise-wide risk based internal audit plan
• The deployment of audit resources to areas within an organization that represent the
greatest risk
• ICT asset identification is an initial step in IT risk based audit planning process
 Networks
 Databases;
 Applications;
 ICT Projects
 ICT asset inventory of Laptops, servers, PCs etc;
 Vendor and Contract management
 Disaster Recovery sites
Gartner Audit Plan Hotspots (2022)
• Ransomware
• Data and Analytics Governance
• Digital Business Transformation
• IT Governance
• Third Parties
• Business Continuity and Organizational Resilience
• Environmental, Social and Governance
• Supply Chain
• Retention and Recruitment
 INFORMATION SYSTEMS AUDITING
• Examine management controls within an IT infrastructure and business applications
• Support operational effectiveness through IT- Business alignment , accurate financial
reporting, compliance with regulation, and information asset protection.
• Focus on the information and related systems upon which businesses and public
institutions depend for competitive advantage
• To evaluate the control environment and internal controls regarding
• IT governance structure,
• general and application controls,
• system development,
• backup and disaster recovery,
• data integrity, and
• system security.
Sample security tools
 Conclusion
International Professional Practise Framework
Standard 1210.A3
Internal auditors must have sufficient knowledge of;
1.Key IT risks & controls
2.Technology based audit techniques (CAAT)
3.Expertise is expected from auditors whose primary responsibility is IT auditing