Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter...

transcript

Application-level IT Risk Assessment

Kerry L. Shackelford

KLS Consulting LLC

ISACA Denver Chapter Meeting

February 21, 2008

KLS KLS ConsultingConsulting LLC LLC

Outline

Why this topic?SEC interpretive guidanceABC’s implementation approachDesign of the ITRA modelModel walk-through / Q&A

Why This Topic?GRC Spending Skyrockets

Governance Risk Compliance

Board and Entity Management

Enterprise Risk Mgt(COSO, COCO)

Public Companies(Sarbanes-Oxley, NYSE, Nasdaq, Turnbull, etc.)

Corporate Policy and Procedure Management

Operational Risk Mgt SOX-Like(Japan, Canada, EU)

IT Governance(CobiT, ISO 17799 & 27001-ISM)

IT Risk Mgt(CobiT, ITIL, etc.)

Specific Areas(PCI-DSS, AML, etc.)

Internal Audit Departments

Financial Institution Risk Mgt (Basel II, etc.)

Personal Information(FTC, HIPAA, GLBA, COPPA, EUD, etc.)

Why This Topic?US Congress Responds

Why This Topic?Corporate Outcry Begins

“The first-year implementation of new requirements for public companies’ internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.”

Journal of Accountancy, Two Years and Counting, June 2007

Why This Topic?Fix: Audit Firms

Per the PCAOB Policy statement issued 5/16/05, the auditors should— Integrate their audits Tailor audit plans to their client’s risks Use a top-down approach Use the work of others Communicate directly and timely with

clients

Why This Topic?SOX Year Two - 2005

Why This Topic?Corporate Outcry (Cont)

The average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began.

Source: “Second Anniversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services, www.issproxy.com

Why This Topic?Fix: Issuer (& Audit Firms)

SEC Interpretive GuidanceFor Issuer Management

Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Effective Date: June 27, 2007 www.sec.gov/rules/interp/2007/33-

8810.pdfACTION: Interpretation.

SEC Interpretive GuidanceUnderlying Principles

Management should: Evaluate whether it has implemented

controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner.

Base its assessment of risk on the evaluation of evidence about the operation of its controls.

SEC Interpretive GuidanceBenefits

ITRAOverview - Approach

Use risk factors (risk assessment evaluation criteria) to assess the level of inherent risk and control risk for each application system.

Use the resultant risk ratings to determine the level of overall risk according to the Company's methodology.

Use the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures to be applied.

ITRAModel Walk-Through

ITRARun Settings

Assignment of point values to risk factors

Break points which define Low, Medium, and High risk applications

Excluding risk factor categories from results

Excluding missing / unknown data

ITRARisk Factors

Information Categories APPL (Application Systems) ADOS (Application / Database Server

Operating Systems DBMS (Data Base Management Systems)

Plus basic APPL informationBias towards objective vs subjective

evaluation criteria

ITRAAPPL Basic Information

Name SOX-Indicator-IC-Dept Vendor-Name Original-

Implementation-Date Major-Release-

Implementation-Date Software-Version Support-Source

Infrastructure Management-Source

App-Server-OS-Vendor, Product, Version, & SP-Level

DB-Server-OS-Vendor, Product, Version, & SP-Level

DB-DBMS-Vendor, Product, Version, & SP-Level

ITRAAPPL Risk Factors (1 of 2)

Vendor-Reputation Months-Post-Original-

Implementation-Date Months-Post-Major-

Release-Date Version-Supported Users-Count Customization

User-Configurable Simple-or-Complex-

Logic Interfaces-Total-Count Interfaces-Manual-Count Changes-Count-Normal Changes-Count-

Emergency Failures-Count Restores-Count

ITRAAPPL Risk Factors (2 of 2)

Gaps-Security-CountGaps-Changes-CountGaps-QAAR-CountGaps-SOD-CountGaps-Other-CountOutages-Count-DaysOutages-Hours

Processes-Supported-Count

BP-Risk-Average-Inherent

Materiality-I-CountMateriality-G-CountMateriality-S-CountIT Tier

ITRAADOS Risk Factors

Outsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-Major

App Server OS-Vendor-Reputation

DB Server OS-Vendor-Reputation

App Server OS-Version-Supported

DB Server OS-Version-Supported

Changes-Count Failures-Count Gaps-Security-Count Gaps-Changes-Count Gaps-QOSR-Count Gaps-Other-Count Production-Server-Count

ITRADBMS Risk Factors

Vendor-ReputationVersion-SupportedChanges-CountFailures-Count

Gaps-Security-Count

Gaps-Changes-Count

Gaps-QDBR-CountGaps-Other-Count

ITRAModel Walk-Through (cont)

ITRAMajor Data Sources

IC Department APPL Lists CMS Reports APPL Narratives Detailed Assessment ITGC Documentation Gap Logs

Evaluator Judgment Internet Research

IT Department APPL Lists Infrastructure Lists Change Records Outage Reports Problem Reports

Outsourcers SAS 70 Reports Change Records Problem Reports

Kerry L. Shackelford720-839-6359

Kerry@KLSConsultingLLC.com

Application-level IT Risk Assessment Kerry L. Shackelford KLS Consulting LLC ISACA Denver Chapter...

Documents