Risk Assessment (b) Flashcards
Name 4 “Executive Management” Functions:
(1) Plan
(2) Organize
(3) Direct
(4) Control
Name 5 IT-Related Outcomes of an “Executive Management” PLAN Function:
(1) Strategic Plan
(2) Risk Assessment (IT)
(3) Budgeting Plans (IT)
(4) How to Value IT
(5) Polices and Procedures (IT)
What should be considered by “Executive Management” in a “Strategic Plan”:
Strategic Plan:
- Provide general guidance for role and responsibilities of IT function
- Provide general direction for future developments and changes in IT
- Include formal mechanism for to ensure sure IT meets strategic objectives and is
valued by objective measure (ROI)
What should be considered by “Risk Assessment” in a “Strategic Plan”:
Risk Assessment”
- Include plans to mitigate identified risks
- Exec mgmt should perform IT risk assessment to mitigate risks that can adversely affect business
- Establish plans for operational
budget and capital budget for IT function
Name 6 IT-Related Outcomes of an “Executive Management” ORGANIZE Function:
(1) Acquire necessary resources
- To accomplish entity goals and objectives, esp in strategic plan
(2) Dynamic IT portfolio
(3) IT function structure
- Centralize vs. decentralized
(4) IT Organization (IT SoD)
(5) Operational budget (IT)
(6) Capital budget (IT)
Name 5 IT-Related Outcomes of an “Executive Management” DIRECT Function:
(1) Communicating Policies to IT personnel
(2) Communicating expectations to IT personnel
(3) Communicating advancement opportunities to IT personnel
(4) Communicating to remainder of entity role and responsibilities of IT function
(5) Managing IT function efficiently and effectively, esp addressing risks
Name 7 IT-Related Outcomes of an “Executive Management” CONTROL Function:
(1) IT projects and costs by IT Governance
(2) Computer operations
(3) Quality of systems and technologies
(4) Quality of training of users
(5) Data integrity, security, and reliance
(6) Systems and technologies security
(7) Adequacy of automated controls in applications
What Risks are associated with “Computer Operations”?
- Failure to timely resolve IT problems (help desk efficiencies and effectiveness)
- Failure to have systems available
adequately - Restore operations after major system failure or disaster (business continuity and disaster recovery)
- Failure to follow standard methods (IT best practices or IT Policies)
- Failure to maintain quality standards (data, info, processes)
- Failure to document properly (new systems development)
- Failure to manage IT projects
efficiently and effectively - Failure of appropriate security measures
- Failure to adequately control users (malicious activities by employees, failure to properly use systems and technologies)
- Failure to have satisfactory audits and reviews of IT
What is a “IT Sophistication Framework”?
- Framework that categorizes various characteristics of entity’s IT into a simple taxonomy
Describe the 4 Tiers/Levels of “IT Sophistication”:
(1) Tier 0 - MAX
- CR can no longer be assessed at max by default but it can be the max
- Controls will not be relied upon at all
(2) Tier 1 - LOW
- Characterized by standard, commercial, and simple IT (including networks, software and hardware)
- IT environment is simple: few workstations (less than 20 relevant ones), one or two locations, one or two servers
(3) Tier 2 - MODERATE
- Introduces a few IT risks above Tier 1
like few servers, emerging technologies, 20 but less than 100-200 relevant
workstations, few custom apps (limited in number and scope; middleware)
- Still using standard, popular apps and infrastructure
(4) Tier 3 - HIGH RISK
- Complex IT using some customer software, lots of workstations, heavy reliance internal controls over financial reporting (ICFR) embedded in IT, non-standard software or infrastructure IT, and multiple platforms
- Automatically is Tier 3 if have:
(a) Custom written apps
(b) Use ERP (Enterprise Resource Planning)
(c) Use multiple O/Ss
