In recent times, there has been a general trend for accountants to explore new types of assurance services.
The American Institute of Certified Public Accountants (AICPA) Special Committee on Assurance Services has analysed and reported on trends that are shaping the emerging environment of audit/assurance services, and they have also designed new assurance offerings that are especially suitable to the new environment.
Many of the new assurance services that are being recommended for CPAs are services in which information systems auditors are ideally suited to play a key role.
As will become evident from a detailed discussion on the new opportunities, these are also very much relevant for the Accountants that emerge from the Institute of Chartered Accountants of Pakistan (ICAP) and the Institute of Cost & Management Accountants of Pakistan (ICMAP).
In recent times, both these premier accounting and auditing institutions of the country have promoted awareness, education and training in information systems audit, management and control.
Along with the Certified Information Systems Auditors (CISAs) of the Information Systems Audit and Control Association (ISACA), qualified professionals from both Institutes need to come forward to take on the responsibility of providing assurance to management in the new e-business oriented economy.
Electronic commerce (EC) is quickly becoming a critical component of the collective marketing and sales efforts of both large and small organisations.
However, the technology that has facilitated this exciting new way of commercial exchange contains a variety of risks. Organisations must evaluate these risks and control them to maximise the benefits that EC offers to an array of customers and suppliers of products, services and information.
As a result, an abundance of opportunities exists for information systems auditors to provide assurances with respect to the security, integrity and privacy of data transmitted over the Internet, as well as the reliability of transmission hardware and software used in the communication process.
This write-up intends to identify potential assurance related opportunities based on relevant high-level and detailed control objectives set forth in Cobit(r): Control Objectives for Information and related Technology. (Cobit has been developed as an open standard by Information Systems Audit and Control Foundation (ISACF)).
IN PARTICULAR, THERE ARE FOUR NEWLY RECOMMENDED INFORMATION-RELATED ASSURANCE SERVICES:
1) Risk Assessment Assurance is a service that assures that "an entity's profile of business risks is comprehensive and evaluates whether the entity has appropriate systems in place to effectively manage those risks."
2) Electronic Commerce Assurance is a service that assures "whether systems and tools used in electronic commerce provide appropriate data integrity, security, privacy and reliability."
3) Systems Reliability Assurance is a service that assures "whether an entity's internal information systems (financial and non-financial) provide reliable information for operating and financial decisions."
4) WebTrustSM Assurance service is a type of electronic commerce assurance in which assurance is given " that web sites which offer electronic commerce meet standards of consumer information protection, transaction integrity and sound business practices."
RISK ASSESSMENT ASSURANCE: Risk assessment encompasses strategic, operating and information risks. As such, risk assessment is pervasive and has an impact on all systems and their reliability.
WebTrustSM assurance is a component of electronic commerce assurance, which could include other services such as assurance on the quality and reliability of an Internet Service Provider (ISP).
There are overlap areas between electronic commerce assurance (including WebTrustSM) and systems reliability assurance.
The primary objective of this article is to address how information systems auditors can play a lead role in providing Risk Assessment Assurance to internal or external constituents.
Specifically, this article attempts to link high-level and detailed control objectives provided by COBIT to salient aspects of Risk Assessment Assurance.
Assurance on risk assessment incorporates the needs of both managers and investors.
This service provides managers and investors with assurance that risks have been completely assessed and that precautions have been taken to mitigate potential deleterious effects arising from identified risks.
The brief summary of Risk Assessment Assurance provided herein is based on the AICPA literature.
For the purposes of this article, the various definitions provided by AICPA will be used.
(More complete details about this and other new assurance products can be found on the AICPA web site at www.aicpa.org.)
The AICPA uses the following definition of business risk: "the threat that an event or action will adversely affect an organisation's ability to achieve its business objectives and execute its strategies successfully."
THEY CLASSIFY THIS RISK INTO THREE SUBTYPES:
(1) strategic environment risks;
(2) operating environment risks; and
(3) information risks.
THE AICPA DEFINES THESE THREE SUBTYPES AS FOLLOWS: Strategic environment risks - threats from broad factors external to the business including changes in customers' tastes and preferences, creation of substitute products or changes in the competitive environment, political arena, legal/regulatory rules and capital availability.
Operating environment risks - threats from ineffective or inefficient business processes for acquiring, transforming and marketing goods and services, as well as loss of physical, financial, information, intellectual or market-based (such as a customer base) assets, loss of markets or market opportunities, and loss of reputation.
Information risks - threats from the use of poor quality information for operational, financial or strategic decision making within the business and providing misleading information provided to outsiders.
USING COBIT(R) AS A GUIDE FOR NEW ASSURANCE SERVICES: Although COBIT was not developed to address new assurance services envisioned by the AICPA, the control objectives outlined in COBIT provide guidance to information systems auditors who wish to become instrumental in delivering such services.
COBIT was developed as an information technology governance tool to aid in understanding and managing the risks associated with information and related information technology.
The following discussion demonstrates how COBIT, now in its third edition, can be used to plan and implement process that will provide assurance on risk assessment.
COBIT provides a set of 34 high-level control objectives grouped into four domains:
Planning and Organisation,
Acquisition and implementation,
Delivery and support, and Monitoring.
A control objective is defined by COBIT as: "A statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity." Corresponding to each of the high-level control objectives are several detailed control objectives designed to facilitate audit planning.
The following sections provide a mapping of COBIT control objectives to the AICPA's vision of risk assessment assurance service.
OVERRIDING ISSUES:
Before delving into specifics regarding the three subtypes of risk, COBIT provides important guidance in two areas that should encompass all risk assessment assurance engagements.
The first issue is the formulation of a framework that can be used as a tool in risk assessment.
COBIT presents a Risk Analysis Framework that information systems auditors can use to assure that all critical aspects of risk have been duly considered (see figure two).
Risk analysis begins with asset valuation and threat assessment.
The result of these investigations yields an assessment of vulnerability. Threat and vulnerability assessments can be combined to assess risk. Based on the specifics of risk assessment, appropriate controls (countermeasures) are designed and employed.
Once controls are in place, control evaluations are performed, which lead to an assessment of residual risk.
The end result of this cycle is an action plan. Since risk assessment is an on-going process, the action plan is used as a catalyst to begin the cybernetic process once again.
Whether information systems auditors are involved in assessing strategic, operating, and/or information risks, they should use the risk assessment framework as an overall guide.
The second overriding issue associated with all risk assessment engagements is to ensure that management's aims and directions are properly communicated throughout the organisation.
COBIT considers this important issue in the sixth Planning & Organisation control objective (PO6).
The detailed objectives offer insight into how information systems auditors can develop an audit plan to assure that management's control policies are properly communicated and disseminated throughout the organisation.
Regardless of the type of risk assurance service provided by information systems auditors, effectiveness of the assurance relies heavily on open communication of control policies and plans throughout the entire organisational structure.
In the following three sections, there is an attempt to link specific high-level and detailed control objectives found in COBIT to the definition of business risk discussed earlier.
First however, four tables are given which show the most applicable high-level and detailed Control Objectives for easy reference.
The value of presenting this mapping is that it can assist information systems auditors in providing risk assessment assurance to interested internal or external parties.
Only the most applicable Control Objectives identified from COBIT have been included in the tables below.
(For a more complete description of the detailed control objectives and the audit guidelines, please visit www.isaca.org. Portions are an open standard and can be downloaded from the website without any charge.)
STRATEGIC ENVIRONMENT RISKS:
The first high-level control objective, "Define a Strategic Information Technology Plan PO1," deals with proper alignment of information technology with the organisation's strategic goals.
It is important to make such a determination, as misalignment can harm the competitive effectiveness of the organisation.
The next two high-level control objectives "Determine Technological Direction PO3" and "Define the Information Technology Organisation and Relationships PO4" also provide guidance concerning proper alignment of an organisation's information technology with its strategic goals.
It should be noted here that specific detailed control objectives are most beneficial in assessing strategic environment risks.
Finally, an important factor in assessing strategic risks concerns compliance with legal/regulatory rules. COBIT considers this factor in "Ensure Compliance with External Requirements (PO8)." As one can see, the framers of COBIT have already contemplated many of the key issues involved with assessing strategic environment risks.
OPERATING ENVIRONMENT RISKS: Information systems auditors often consider operating environment risks in their day-to-day activities; hence, they are already familiar with many of the issues surrounding this aspect of risk assessment assurance.
In particular, auditors should (a) assess the extent to which information technology is used to facilitate efficient and effective business processes, and (b) determine risks and controls associated with information technology related physical and intellectual property.
First, auditors should assess physical and logical security. Salient factors involved in this determination are found in "Define the Information Technology Organisation and Relationships PO4."
More detailed guidance can be found in COBIT's DS5, "Ensure Systems Security" and DS12, "Manage Facilities". Next, auditors should evaluate whether human resources are utilised properly to support the efficiency and effectiveness of information processing activities throughout the organisation.
Detailed control objectives in this regard are found in "Manage Human Resources PO7." Finally, COBIT considers the assessment of business risk in "Assess Risks PO9." In particular, information systems auditors must be concerned with issues of business interruption and continuity planning.
Guidance can be found as well in DS2, "Manage Third Party Services". Once again, COBIT provides links to the definition of operating environment risks.
INFORMATION RISKS: Information systems auditors can be very useful in identifying and assessing information risks. Proper "Roles and Responsibilities" within the information technology function and among other organisational business units are critical to maintaining an acceptable level of information risk.
Also, the "Responsibility for Quality Assurance" throughout the organisation should be clearly delineated in "Define the Information Technology Organisation and Relationships" PO4 and also in PO11, "Manage Quality".
The high-level control objective of "Assess Risks PO9" is key to providing information risks assurance.
The goal of PO9 is to (a) ensure the achievement of information technology objectives and (b) respond to threats to the provision of information technology services.
PO9 takes into consideration a variety of risks, scopes, methodologies and measurements (both quantitative and qualitative), as well as a risk action plan. As with strategic and operating environment risks, COBIT is sufficiently complete and adaptable to offer critical guidance in the area of information risk assurance.
CONCLUSION: According to the AICPA Special Committee on Assurance Services, control of business risks has become increasingly important due to changes in information technology.
As, "Information technology has reduced the time available to react to environmental change, streamlined and altered the design of business processes, and changed the optimal form of organisation."
These trends have resulted in downsizing efforts, organisational structure realignments, and control design changes.
Hence, the AICPA has envisioned Risk Assessment Assurance as a viable service offering. Assurance over risk assessment is designed to assist senior management and the board of directors in fulfilling their responsibilities.
In order for these groups to manage effectively, they need information about special risks inherent to their businesses and the potential impact of such risks.
In that light, the purpose of this article is to provide a first approximate mapping of COBIT to the AICPA's vision of Risk Assessment Assurance. Accordingly, high-level and detailed control objectives provided by COBIT have been linked to the definition of business risk, thereby providing critical guidance to information systems auditors who wish to provide risk assessment assurance to internal and external constituents.
The Information Systems Audit and Control Association should be pleased with COBIT as it has been shown to be comprehensive and adaptable to this new assurance service area.
It is hoped that this article is a catalyst for information systems auditors to become involved in the risk assessment assurance service area, as they are well situated to be proactive designers and deliverers of this and other critical assurance services.
This write-up is based on information collected from the Information Systems Control Journal and other material available from Information Systems Audit and Control Association.
Hussein Hassanali Haji is Senior Manager, Technology & Security Risk Services with Sidat Hyder Morshed Associates (Pvt) Ltd, a member firm of Ernst & Young International.
He is the President and founding member of ISACA Karachi Chapter, as well as Vice President of the Institute of Internal Auditors (IIA) Karachi Chapter and member of the IT Committee of the Institute of Chartered Accountants of Pakistan.
TABLE 1: COMMUNICATION OF MANAGEMENT'S AIMS AND DIRECTIONS (PO6)
1. Positive Information Control Environment
2. Management's Responsibility for Policies
3. Communication of Organisation Policies
4. Policy Implementation Resources
5. Maintenance of Policies
6. Compliance with Policies, Procedures and Standards
7. Quality Commitment
8. Security and Internal Control Framework Policy
9. Intellectual Property Rights
10 Issue Specific Policies
11. Communication of IT Security Awareness.
TABLE 2: ASSESSING STRATEGIC ENVIRONMENT RISKS
Define a Strategic Information Technology Plan (PO1)
1. Information Technology as Part of the Organisation's Long- and Short- Range Plan
2. Information Technology Long-Range Plan
3. Information technology Long-Range Planning - Approach and Structure
4. Information Technology Long-Range Plan Changes
5. Short-Range Planning for the Information Services Function
6. Assessment of Existing Systems
Determine Technological Direction (PO3)
2. Monitoring of Future Trends and Regulations
Define the Information Technology Organisation and Relationships (PO4)
1. The Information Services Function Planning or Steering Committee
2. Organisational Placement of Information Services Function
3. Review of Organisational Achievements
Ensure Compliance with External Requirements (PO8)
1. External Requirements Review
2. Practices and Procedures for Complying with External Requirements
3. Safety and Ergonomic Compliance
4. Privacy, Intellectual Property and Data Flow
5. Electronic Commerce
6. Compliance with Insurance Contracts
TABLE 3: ASSESSING OPERATING ENVIRONMENT RISKS
Define the Information Technology Organisation and Relationships
6. Responsibility for Logical and Physical Security
7. Ownership and Custodian-ship
8. Data and System Ownership
9. Supervision
10. Segregation of Duties
Manage Human Resources (PO7)
1. Personnel Recruitment and Promotion
2. Personnel Qualifications
3. Personnel Training
4. Cross-Training or Staff Back-up
Assess Risks (PO9)
1. Business Risk Assessment
TABLE 4: ASSESSING INFORMATION RISKS Define the Information Technology Organisation and Relationships
4. Roles and Responsibilities
5. Responsibility for Quality Assurance
Assess Risks (PO9)
2. Risk Assessment Approach
3. Risk Identification
4. Risk Measurement
5. Risk Action Plan
Risk Acceptance
(Convenor, Security Working Group, AFACT Pakistan)
Comments
Comments are closed.