application-level it risk assessment kerry l. shackelford kls consulting llc isaca denver chapter...

Application-level IT Risk Assessment

Kerry L. Shackelford

KLS Consulting LLC

ISACA Denver Chapter Meeting

February 21, 2008

KLS KLS ConsultingConsulting LLC LLC

Outline

Why this topic?SEC interpretive guidanceABC’s implementation approachDesign of the ITRA modelModel walk-through / Q&A


Why This Topic?GRC Spending Skyrockets

Governance Risk Compliance

Board and Entity Management

Enterprise Risk Mgt(COSO, COCO)

Public Companies(Sarbanes-Oxley, NYSE, Nasdaq, Turnbull, etc.)

Corporate Policy and Procedure Management

Operational Risk Mgt SOX-Like(Japan, Canada, EU)

IT Governance(CobiT, ISO 17799 & 27001-ISM)

IT Risk Mgt(CobiT, ITIL, etc.)

Specific Areas(PCI-DSS, AML, etc.)

Internal Audit Departments

Financial Institution Risk Mgt (Basel II, etc.)

Personal Information(FTC, HIPAA, GLBA, COPPA, EUD, etc.)


Why This Topic?US Congress Responds


Why This Topic?Corporate Outcry Begins

“The first-year implementation of new requirements for public companies’ internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.”

Journal of Accountancy, Two Years and Counting, June 2007


Why This Topic?Fix: Audit Firms

Per the PCAOB Policy statement issued 5/16/05, the auditors should— Integrate their audits Tailor audit plans to their client’s risks Use a top-down approach Use the work of others Communicate directly and timely with

clients


Why This Topic?SOX Year Two - 2005


Why This Topic?Corporate Outcry (Cont)

The average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began.

Source: “Second Anniversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services, www.issproxy.com

http://www.issproxy.com/


Why This Topic?Fix: Issuer (& Audit Firms)


SEC Interpretive GuidanceFor Issuer Management

Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Effective Date: June 27, 2007 www.sec.gov/rules/interp/2007/33-

8810.pdfACTION: Interpretation.


SEC Interpretive GuidanceUnderlying Principles

Management should: Evaluate whether it has implemented

controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner.

Base its assessment of risk on the evaluation of evidence about the operation of its controls.


SEC Interpretive GuidanceBenefits


ITRAOverview - Approach

Use risk factors (risk assessment evaluation criteria) to assess the level of inherent risk and control risk for each application system.

Use the resultant risk ratings to determine the level of overall risk according to the Company's methodology.

Use the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures to be applied.


ITRAModel Walk-Through


ITRARun Settings

Assignment of point values to risk factors

Break points which define Low, Medium, and High risk applications

Excluding risk factor categories from results

Excluding missing / unknown data


ITRARisk Factors

Information Categories APPL (Application Systems) ADOS (Application / Database Server

Operating Systems DBMS (Data Base Management Systems)

Plus basic APPL informationBias towards objective vs subjective

evaluation criteria


ITRAAPPL Basic Information

Name SOX-Indicator-IC-Dept Vendor-Name Original-

Implementation-Date Major-Release-

Implementation-Date Software-Version Support-Source

Infrastructure Management-Source

App-Server-OS-Vendor, Product, Version, & SP-Level

DB-Server-OS-Vendor, Product, Version, & SP-Level

DB-DBMS-Vendor, Product, Version, & SP-Level


ITRAAPPL Risk Factors (1 of 2)

Vendor-Reputation Months-Post-Original-

Implementation-Date Months-Post-Major-

Release-Date Version-Supported Users-Count Customization

User-Configurable Simple-or-Complex-

Logic Interfaces-Total-Count Interfaces-Manual-Count Changes-Count-Normal Changes-Count-

Emergency Failures-Count Restores-Count


ITRAAPPL Risk Factors (2 of 2)

Gaps-Security-CountGaps-Changes-CountGaps-QAAR-CountGaps-SOD-CountGaps-Other-CountOutages-Count-DaysOutages-Hours

Processes-Supported-Count

BP-Risk-Average-Inherent

Materiality-I-CountMateriality-G-CountMateriality-S-CountIT Tier


ITRAADOS Risk Factors

Outsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-Major

App Server OS-Vendor-Reputation

DB Server OS-Vendor-Reputation

App Server OS-Version-Supported

DB Server OS-Version-Supported

Changes-Count Failures-Count Gaps-Security-Count Gaps-Changes-Count Gaps-QOSR-Count Gaps-Other-Count Production-Server-Count


ITRADBMS Risk Factors

Vendor-ReputationVersion-SupportedChanges-CountFailures-Count

Gaps-Security-Count

Gaps-Changes-Count

Gaps-QDBR-CountGaps-Other-Count


ITRAModel Walk-Through (cont)


ITRAMajor Data Sources

IC Department APPL Lists CMS Reports APPL Narratives Detailed Assessment ITGC Documentation Gap Logs

Evaluator Judgment Internet Research

IT Department APPL Lists Infrastructure Lists Change Records Outage Reports Problem Reports

Outsourcers SAS 70 Reports Change Records Problem Reports

Q&A

Kerry L. Shackelford720-839-6359

[email protected]

application-level it risk assessment kerry l. shackelford kls consulting llc isaca denver chapter...

Documents

count slide

count z changescount

count z bprisk

count zoutagescount

emergency z failurescount

count z gapschanges

control risk

assessment of risk