application-level it risk assessment kerry l. shackelford kls consulting llc isaca denver chapter...
TRANSCRIPT
Application-level IT Risk Assessment
Kerry L. Shackelford
KLS Consulting LLC
ISACA Denver Chapter Meeting
February 21, 2008
KLS KLS ConsultingConsulting LLC LLC
Outline
Why this topic?SEC interpretive guidanceABC’s implementation approachDesign of the ITRA modelModel walk-through / Q&A
KLS KLS ConsultingConsulting LLC LLC
Why This Topic?GRC Spending Skyrockets
Governance Risk Compliance
Board and Entity Management
Enterprise Risk Mgt(COSO, COCO)
Public Companies(Sarbanes-Oxley, NYSE, Nasdaq, Turnbull, etc.)
Corporate Policy and Procedure Management
Operational Risk Mgt SOX-Like(Japan, Canada, EU)
IT Governance(CobiT, ISO 17799 & 27001-ISM)
IT Risk Mgt(CobiT, ITIL, etc.)
Specific Areas(PCI-DSS, AML, etc.)
Internal Audit Departments
Financial Institution Risk Mgt (Basel II, etc.)
Personal Information(FTC, HIPAA, GLBA, COPPA, EUD, etc.)
KLS KLS ConsultingConsulting LLC LLC
Why This Topic?US Congress Responds
KLS KLS ConsultingConsulting LLC LLC
Why This Topic?Corporate Outcry Begins
“The first-year implementation of new requirements for public companies’ internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.”
Journal of Accountancy, Two Years and Counting, June 2007
KLS KLS ConsultingConsulting LLC LLC
Why This Topic?Fix: Audit Firms
Per the PCAOB Policy statement issued 5/16/05, the auditors should— Integrate their audits Tailor audit plans to their client’s risks Use a top-down approach Use the work of others Communicate directly and timely with
clients
KLS KLS ConsultingConsulting LLC LLC
Why This Topic?SOX Year Two - 2005
KLS KLS ConsultingConsulting LLC LLC
Why This Topic?Corporate Outcry (Cont)
The average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began.
Source: “Second Anniversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services, www.issproxy.com
KLS KLS ConsultingConsulting LLC LLC
Why This Topic?Fix: Issuer (& Audit Firms)
KLS KLS ConsultingConsulting LLC LLC
SEC Interpretive GuidanceFor Issuer Management
Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Effective Date: June 27, 2007 www.sec.gov/rules/interp/2007/33-
8810.pdfACTION: Interpretation.
KLS KLS ConsultingConsulting LLC LLC
SEC Interpretive GuidanceUnderlying Principles
Management should: Evaluate whether it has implemented
controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner.
Base its assessment of risk on the evaluation of evidence about the operation of its controls.
KLS KLS ConsultingConsulting LLC LLC
SEC Interpretive GuidanceBenefits
KLS KLS ConsultingConsulting LLC LLC
ITRAOverview - Approach
Use risk factors (risk assessment evaluation criteria) to assess the level of inherent risk and control risk for each application system.
Use the resultant risk ratings to determine the level of overall risk according to the Company's methodology.
Use the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures to be applied.
KLS KLS ConsultingConsulting LLC LLC
KLS KLS ConsultingConsulting LLC LLC
ITRAModel Walk-Through
KLS KLS ConsultingConsulting LLC LLC
ITRARun Settings
Assignment of point values to risk factors
Break points which define Low, Medium, and High risk applications
Excluding risk factor categories from results
Excluding missing / unknown data
KLS KLS ConsultingConsulting LLC LLC
ITRARisk Factors
Information Categories APPL (Application Systems) ADOS (Application / Database Server
Operating Systems DBMS (Data Base Management Systems)
Plus basic APPL informationBias towards objective vs subjective
evaluation criteria
KLS KLS ConsultingConsulting LLC LLC
ITRAAPPL Basic Information
Name SOX-Indicator-IC-Dept Vendor-Name Original-
Implementation-Date Major-Release-
Implementation-Date Software-Version Support-Source
Infrastructure Management-Source
App-Server-OS-Vendor, Product, Version, & SP-Level
DB-Server-OS-Vendor, Product, Version, & SP-Level
DB-DBMS-Vendor, Product, Version, & SP-Level
KLS KLS ConsultingConsulting LLC LLC
ITRAAPPL Risk Factors (1 of 2)
Vendor-Reputation Months-Post-Original-
Implementation-Date Months-Post-Major-
Release-Date Version-Supported Users-Count Customization
User-Configurable Simple-or-Complex-
Logic Interfaces-Total-Count Interfaces-Manual-Count Changes-Count-Normal Changes-Count-
Emergency Failures-Count Restores-Count
KLS KLS ConsultingConsulting LLC LLC
ITRAAPPL Risk Factors (2 of 2)
Gaps-Security-CountGaps-Changes-CountGaps-QAAR-CountGaps-SOD-CountGaps-Other-CountOutages-Count-DaysOutages-Hours
Processes-Supported-Count
BP-Risk-Average-Inherent
Materiality-I-CountMateriality-G-CountMateriality-S-CountIT Tier
KLS KLS ConsultingConsulting LLC LLC
ITRAADOS Risk Factors
Outsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-Major
App Server OS-Vendor-Reputation
DB Server OS-Vendor-Reputation
App Server OS-Version-Supported
DB Server OS-Version-Supported
Changes-Count Failures-Count Gaps-Security-Count Gaps-Changes-Count Gaps-QOSR-Count Gaps-Other-Count Production-Server-Count
KLS KLS ConsultingConsulting LLC LLC
ITRADBMS Risk Factors
Vendor-ReputationVersion-SupportedChanges-CountFailures-Count
Gaps-Security-Count
Gaps-Changes-Count
Gaps-QDBR-CountGaps-Other-Count
KLS KLS ConsultingConsulting LLC LLC
ITRAModel Walk-Through (cont)
KLS KLS ConsultingConsulting LLC LLC
ITRAMajor Data Sources
IC Department APPL Lists CMS Reports APPL Narratives Detailed Assessment ITGC Documentation Gap Logs
Evaluator Judgment Internet Research
IT Department APPL Lists Infrastructure Lists Change Records Outage Reports Problem Reports
Outsourcers SAS 70 Reports Change Records Problem Reports