management 企业管理类英文版PPT课件 (3)
Application-level IT Risk Assessment,Kerry L. ShackelfordKLS Consulting LLC,ISACA Denver Chapter MeetingFebruary 21, 2008,Outline,Why this topic?SEC interpretive guidanceABCs implementation approachDesign of the ITRA modelModel walk-through / Q&A,Why This Topic?GRC Spending Skyrockets,Why This Topic?US Congress Responds,Why This Topic?Corporate Outcry Begins,“The first-year implementation of new requirements for public companies internal control over financial reporting (ICFR) proved more burdensome and costly than expected, resulting in an outcry from corporate America.”Journal of Accountancy, Two Years and Counting, June 2007,Why This Topic?Fix: Audit Firms,Per the PCAOB Policy statement issued 5/16/05, the auditors shouldIntegrate their auditsTailor audit plans to their clients risksUse a top-down approachUse the work of othersCommunicate directly and timely with clients,Why This Topic?SOX Year Two - 2005,Why This Topic?Corporate Outcry (Cont),The average cost of being a public company with revenue under $1 billion rose $1.6 million, or 130%, since the Sarbanes-Oxley era began.Source: “Second Anniversary: The Impact of Sarbanes-Oxley,” Institutional Shareholder Services, www.issproxy.com,Why This Topic?Fix: Issuer (& Audit Firms),SEC Interpretive GuidanceFor Issuer Management,Guidance Regarding Managements Report on Internal Control Over Financial ReportingEffective Date: June 27, 2007www.sec.gov/rules/interp/2007/33-8810.pdfACTION: Interpretation.,SEC Interpretive GuidanceUnderlying Principles,Management should:Evaluate whether it has implemented controls that adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner.Base its assessment of risk on the evaluation of evidence about the operation of its controls.,SEC Interpretive GuidanceBenefits,ITRAOverview - Approach,Use risk factors (risk assessment evaluation criteria) to assess the level of inherent risk and control risk for each application system.Use the resultant risk ratings to determine the level of overall risk according to the Company's methodology.Use the overall risk assessment rating to guide the appropriate level of internal control evaluation procedures to be applied.,ITRAModel Walk-Through,ITRARun Settings,Assignment of point values to risk factorsBreak points which define Low, Medium, and High risk applicationsExcluding risk factor categories from resultsExcluding missing / unknown data,ITRARisk Factors,Information CategoriesAPPL (Application Systems)ADOS (Application / Database Server Operating SystemsDBMS (Data Base Management Systems)Plus basic APPL informationBias towards objective vs subjective evaluation criteria,ITRAAPPL Basic Information,NameSOX-Indicator-IC-DeptVendor-NameOriginal-Implementation-DateMajor-Release-Implementation-DateSoftware-VersionSupport-Source,Infrastructure Management-SourceApp-Server-OS-Vendor, Product, Version, & SP-LevelDB-Server-OS-Vendor, Product, Version, & SP-LevelDB-DBMS-Vendor, Product, Version, & SP-Level,ITRAAPPL Risk Factors (1 of 2),Vendor-ReputationMonths-Post-Original-Implementation-DateMonths-Post-Major-Release-DateVersion-SupportedUsers-CountCustomization,User-ConfigurableSimple-or-Complex-LogicInterfaces-Total-CountInterfaces-Manual-CountChanges-Count-NormalChanges-Count-EmergencyFailures-CountRestores-Count,ITRAAPPL Risk Factors (2 of 2),Gaps-Security-CountGaps-Changes-CountGaps-QAAR-CountGaps-SOD-CountGaps-Other-CountOutages-Count-DaysOutages-Hours,Processes-Supported-CountBP-Risk-Average-InherentMateriality-I-CountMateriality-G-CountMateriality-S-CountIT Tier,ITRAADOS Risk Factors,Outsourcer-SAS 70 Report Opinion, Testing Exceptions-Moderate, & Testing Exceptions-MajorApp Server OS-Vendor-ReputationDB Server OS-Vendor-ReputationApp Server OS-Version-Supported,DB Server OS-Version-SupportedChanges-CountFailures-CountGaps-Security-CountGaps-Changes-CountGaps-QOSR-CountGaps-Other-CountProduction-Server-Count,ITRADBMS Risk Factors,Vendor-ReputationVersion-SupportedChanges-CountFailures-Count,Gaps-Security-CountGaps-Changes-CountGaps-QDBR-CountGaps-Other-Count,ITRAModel Walk-Through (cont),ITRAMajor Data Sources,IC DepartmentAPPL ListsCMS ReportsAPPL NarrativesDetailed AssessmentITGC DocumentationGap LogsEvaluator JudgmentInternet Research,IT DepartmentAPPL ListsInfrastructure ListsChange RecordsOutage ReportsProblem ReportsOutsourcersSAS 70 ReportsChange RecordsProblem Reports,Q&A,Kerry L. Shackelford720-839-6359KerryKLSConsultingLLC.com,