1 / 39

Session 2 – Risk Assessment

Session 2 – Risk Assessment. “There are risks and costs to a program of action, but they are far less than the long-range risks and costs of comfortable inaction.” – John F. Kennedy. Chapter 2 – I & IT Risks. What can go wrong? Control implications of IT . Effect of Computer Processing.

craney
Télécharger la présentation

Session 2 – Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 2 – Risk Assessment “There are risks and costs to a program of action, but they are far less than the long-range risks and costs of comfortable inaction.” – John F. Kennedy EECS4482 2016

  2. Chapter 2 – I & IT Risks • What can go wrong? • Control implications of IT EECS4482 2016

  3. Effect of Computer Processing • Transaction trails may not exist • Uniform processing of transactions eliminates random errors but may cause systematic errors • Incompatible functions may not be segregated and many internal controls combined in the computer EECS4482 2016

  4. Effect of Computer Processing • Potential for errors and irregularities through inappropriate access to computer data or systems Also errors are harder to observe • Potential for increased management supervision with a wide variety of analytical tools • Initiation or subsequent execution of transactions by computer EECS4482 2016

  5. Airline System Down Network failures in Sept 2016 caused British Airway and Delta to cancel many flights. AIS 2016 David C. Chan

  6. Welfare System Down In November 2014, welfare computer systemsin British Columbia and Ontario crashed, paying thousands of recipients wrong amounts of money. AIS 2016 David C. Chan

  7. Some Examples of What Can Go Wrong In December 2013, Delta Airline’s reservation system had a glitch for half a day that let customers book flights with huge accidental savings like business class flights from ontinental United States to Hawaii at 10% of the normal fare. AIS 2016

  8. Some Examples of What Can Go Wrong In June 2012, LinkedIn investigated the possible leaking of several million of its users' passwords after a member of a Russian online forum said he managed to hack the popular networking site and upload close to 6.5 million passwords to the internet. Oct 2011 – Blackberry global outage for 4 days. EECS4482 2016

  9. Some Sources of Problems • Requirement definition omission or mistakes • System design • Hardware implementation such as wiring and chip flaws • Programming • System use and operation EECS4482 2016

  10. Some Sources of Problems • Abuse and misuse • Hardware malfunction • Natural disasters • Maintenance or upgrade faults EECS4482 2016

  11. Inherent Risk • Risk of errors or undesirable financial events occurring. • Depends on industry and nature of organization. EECS4482 2016

  12. Control Risk • Risk of controls not being able to prevent or detect errors or undesirable events. • Depends on organization’s practices and businesses. • It is the complement of control reliability EECS4482 2016

  13. IT Effect on Inherent Risk • Inherent risk is the likelihood of an undesirable event occurring • IT frequently affects inherent risk as it supports new ways of doing business or involves new procedures for transaction processing EECS4482 2016

  14. IT Effect on Inherent Risk • An example of how IT affects inherent risk is eBusiness. • eBusiness increases inherent risk because external parties are responsible for entering transaction data, customers are not trained data entry people so the probability of input error is higher. EECS4482 2016

  15. IT Effect on Inherent Risk Can IT decrease inherent risk? EECS4482 2016

  16. IT Can Decrease Inherent Risk • Automation reduces human errors in transaction processing • Automation can reduce delay in processing EECS4482 2016

  17. IT Effect on Control Risk • Control risk is the risk of a control not working properly, either because of inappropriate design or because of non-compliance. • Does IT increase control risk? EECS4482 2016

  18. IT Effect on Control Risk • IT can increase control risk because it tends to weaken segregation of duties. Fewer people are involved in transaction processing. • IT increases control risk when transaction preapproval is replaced with exception checking. EECS4482 2016

  19. IT Effect on Control Risk • IT can reduce control risk by automatically creating audit trail. Automated audit trail is more consistently prepared than manual audit trail. • IT can reduce control risk because computer edits are more reliable than human verification. EECS4482 2016

  20. Residual Risk • Control risk x inherent risk. • Management should demand low residual risk. EECS4482 2016

  21. IT Effects on Risks • Overall, there are more factors increasing all risk types than decreasing when more IT is used, mainly because of the less visible audit trail, less segregation of duties, open access and system complexity. EECS4482 2016

  22. Risks in Using IT • Think of risk as the absence of attributes that you want to see in a system or process to ensure Completeness Authorization Accuracy Timeliness Occurrence Memorize them as CAATO. EECS4482 2016

  23. IT Risks • IT risks can occur in the input, processing and output phases of a transaction cycle. • IT risks can also occur on stored data. • There are also risks in simply retrieving data. EECS4482 2016

  24. Input Risks • Incorrect input, e.g., entering the wrong grades for students. • Untimely input, e.g., entering a course drop form after the drop deadline. • Incomplete input, such as omitting the processing of cheques cashed in a bank. EECS4482 2016

  25. Input Risk • Unauthorized transaction - An example is one customer entering a Web transaction using another customer’s account. • Unauthorized change to master files, e.g., a warehouse staff member changes sale price. • Lost audit trail. EECS4482 2016

  26. Processing Risks • Incomplete processing, e.g., a Web order releases inventory but does not charge the credit card after doing credit check. • Inaccurate processing, e.g., skipping of interest calculation because a program does not know how to cope with hardware failure. • Undocumented processes. EECS4482 2016

  27. Processing Risks • Unauthorized processing – what does this mean? • An example is automatically transferring funds from a customer account without authorization. EECS4482 2016

  28. Processing Risk • Untimely processing, e.g., payroll run after cut-off date resulting in employees not getting paid. • Another example is recording invoice after the closing for year end, resulting in understatement of receivables or payables. EECS4482 2016

  29. Output Risks • Incomplete output, e.g., cheque run terminated abruptly, resulting in some vendors not getting paid and the company getting charged interest. • Inaccurate report. • Warehouse people receiving executive pay report. EECS4482 2016

  30. Output Risks Examples: • Late report • Late customer statements • Late T4’s EECS4482 2016

  31. Stored Data Risks • Unauthorized access to data, e.g., an accounts payable person downloads a payroll file. • Unavailability of data, e.g., power outage knocks down a server and causes data corruption. • Data loss. EECS4482 2016

  32. Risk Matrix EECS4482 2016

  33. Other Systems Risks Outside Transaction Processing • Computer fraud • Computer crime • Hackers • Viruses EECS4482 2016

  34. Other Systems Risks • Incorrect use of systems and information • Use of systems and information for improper purposes • Sabotage EECS4482 2016

  35. Other Systems Risks • Disasters like fire and flood • Power failure • System not meeting user requirements • Hardware and and software malfunctions EECS4482 2016

  36. Personal Computer Risks • Ease of access • Unstructured systems development • User may cause damage to files or operating systems • Unlicensed software • Virus infection • Loss of laptops EECS4482 2016

  37. Summary of Main Points • The risk factors of incompleteness, inadequate authorization, inaccuracy, untimeliness, lack of substantiation and inefficiency apply to inherent risk and control EECS4482 2016

  38. Summary • Residual risk = inherent risk x control risk. • Business owner owns the risk. • Senior management should set corporate guidelines and approval levels for risk acceptance. • Outsourcing increases all risks. EECS4482 2016

  39. Summary • Exposure = risk x materiality • Threat = a particular risk without the probability quantification, e.g., the threat of terrorism. A threat, once quantified, becomes a risk. • Vulnerability = exposure resulting from control risk EECS4482 2016

More Related