ADMS 4552 Study Guide - Corporate Governance Of Information Technology, Bilocation, Information System

66 views9 pages
Published on 7 Oct 2012
School
York University
Department
Administrative Studies
Course
ADMS 4552
Professor
Page:
of 9
ADMS 4552 Chapter 10
Corporate Governance Strategies and Risk Assessment Frameworks
- Information systems steering committee - composed of executives whose role would include
oversight of IT
- Codified set of business ethics and code of conduct help promote an honest, ethical environment
- Enterprise risk management - has embodied risk management into the culture so that every
employee is aware of it - organizational process that assists the organization in providing
reasonable assurance of achieving its objectives
o Manage organizational risk
- COSO - risk management framework
- Audit of overall effectiveness of corporate governance needs to consider the organizational
structure of the organization
o Consider management attitudes and the ethical environment of the organization
o Also look at the alignment of each of the strategies with the business mission and purpose
COSO Enterprise Risk
Management Component and
Example
Examples of Effective
Corporate Governance of the
component
Audit Techniques to Audit
the Component’s Corporate
Governance
Internal environment
- Risk culture, attitudes and
behaviours, management
philosophy, ethical values,
integrity
- Mandatory training for
board members on the
concepts of ERM
- Board approval of ERM
framework and code of
ethics
- Inspect board ERM
training program
- Inspect board meetings
and supporting
documents justifying
selection of ERM
framework
- Inspect code of ethics
Objective setting
- Setting of risk tolerance
objectives in alignment
with organizational
mission, vision, and
strategy
- Board evaluation and
approval of agreed risk
terminology
- Board evaluation and
approval of
management’s
recommended risk
tolerances
- Inspect board minutes
and supporting
documents justifying risk
tolerance objectives
- Inquire of board
members and
management regarding
the process for setting
risk tolerances
Event identification
- Both internal and external
events
- Those that coul affect the
ability to achieve goals
- Management clearly
provides a strategy for
identifying risks
- Board approves
management’s strategy
and provides feedback
- Compare the org’s
identified risks to those
identified by auditor
during CBR assessment
phase
- Inspect board minutes
and supporting
documents where
approval of risk
assessment strategy is
provided
Risk assessment
- Methodically consider the
potential impact and
likelihood of risk events
- Board approves risk
assessment methodology
- Board re-evaluates
tolerances in light of the
summarized risk
evaluations
- Inspect risk assessment
documentation
- Inspect board minutes
approving risk
methodology and risk
tolerances
Risk response
- Based on risk tolerance
goals, select one of the
four approaches:
1. Acceptance - do
nothing
2. Avoidance - eliminate
the activity that causes
the risk
3. Mitigation - reduce the
effects of the risks by
taking appropriate
actions
4. Transference -
outsource, transfer,
share the risk using
methods such as
insurance or transfer of
business processes
- Board evaluates
management’s
recommendation for risk
responses
- Compare risk responses
to recommendations of
ex or internal auditors or
other specialized reports
- Inspect documents
recommending risk
response activities
- Inspect board minutes of
approval
- Inspect specialist reports
recommending specific
courses of action with
respect to risk responses
Control activities
- Policies and practices for
ensuring that the
identified risk responses
are actually completed
- Evaluate and approve
mgmt’s plan for ERM
control activities
- Document the control
activies, evaluate design
effectiveness and
conduct testing of ERM
control activities where
reliance is placed on the
controls
Information and
communication - information is
gathered and communicated
about the risk management
process throughout all levels of
the organization
- Inquire of management
and request
documentation to
support information and
communication methods,
evaluate adequacy
- Obtain copies of and
inspect regular
communications
Monitoring
- ERM is monitored,
feedback provided and
changes to the process are
made as needed
- Evaluate management
recommendations for
change to ERM process
- Inspect board minutes
with respect to process
and approval of change
to ER process
- Effective corp governance can reduce client business risk and result in a lower assessed control risk
IT governance and the audit of Gereral information systems controls
- IT governance - policies, practices, and procedures that help IT resources add value while
considering costs and benefits
- Adds value and helps prevent failures, keeping costs low
- IT dependence - a disconnect between the business strategy and MIS operation (no supervision of
IT, so you rely on a small group of individuals
- IT governance is linked with ERM and a sound control environment
- 3 general control categories
o Organization and management controls
o Systems acquisition, development, and maintenance
o Operations and information systems support
- Below are common issues with those
Organization and management controls
- Depends on factors lie overall size, functions, and off-the-shelf or customized software
- Auditors may consider segregation of duties and the quality of documented policies and procedures
regarding data ownership, management, privacy, code of conduct
- Auditor will consider level of technical expertise
- Super-users - have access to supervisory software or the ability to circumvent controls
- Turnkey software development - contracted to an outside party
- When software is purchased, management should ensure that the software is consisten with
organizational objectives.
- Using the terminology on information technology control guidelines, the acquisition process is
broken down into 5 phases:
1. Investigation - should it be obtained?
2. Requirements analysis and initial design - document overall functionality and purpose of
system
3. Development/acquisition and system testing - specific functionality of the new system is
identified, developed/acquired and tested

Document Summary

Information systems steering committee - composed of executives whose role would include oversight of it. Codified set of business ethics and code of conduct help promote an honest, ethical environment. Enterprise risk management - has embodied risk management into the culture so that every employee is aware of it - organizational process that assists the organization in providing reasonable assurance of achieving its objectives: manage organizational risk. Risk culture, attitudes and behaviours, management philosophy, ethical values, integrity. Mandatory training for board members on the concepts of erm. Board approval of erm framework and code of ethics. Inspect board meetings and supporting documents justifying selection of erm framework. Inspect board minutes and supporting documents justifying risk tolerance objectives. Inquire of board members and management regarding the process for setting risk tolerances. Compare the org"s identified risks to those identified by auditor during cbr assessment phase. Inspect board minutes and supporting documents where approval of risk.