Featured Post
Love In The Canterbury Tales Essay Research free essay sample
Love In The Canterbury Tales Essay, Research Paper Henry Louis Mencken expressed, # 8220 ; Love: The maniacal conviction that one grown-u...
Friday, March 20, 2020
Computer Risks and Exposures Essay Example
Computer Risks and Exposures Essay Example Computer Risks and Exposures Paper Computer Risks and Exposures Paper Computer Risks and Exposures Computers of all kinds within an organisation are constantly faced with a variety of risks and exposures. It is helpful if we first define these terms: Computer risk Probability that an undesirable event could turn into a loss Computer exposure Results from a threat from an undesirable event that has the potential to become a risk Vulnerability A flaw or weakness in the system that can turn into a threat or a risk The total impact of computer risks range from minor to devastating and could include any or all of: Loss of sales or revenues Loss of profits Loss of personnel Failure to meet government requirements or laws Inability to serve customers Inability to sustain growth Inability to operate effectively and efficiently Inability to compete successfully for new customers Inability to stay ahead of the competition Inability to stay independent without being acquired or merged Inability to maintain present customer/client base Inability to control costs I nability to cope with advancements in technology Inability to control employees involved in illegal activities Damage to business reputation Complete business failure Computer risks. exposures and losses may be characterised as intentional or unintentional and may involve actual damage, alteration of data or programs as well as unauthorised dissemination of information. Objects which can be affected include physical items such as the hardware or hard-copy outputs which are both vulnerable to risks such as theft or loss; the tele-communications system which can cause major corporate grief if unavailable for any reason as well as being vulnerable to internal or external penetration; the applications software which, being a major control lement, is vulnerable to change, bypassing or direct sabotage; systems software such as the operating system itself which can also be amended or circumvented; computer operations where control procedures may be amended or bypassed and the data itself where virtually anything could happen. The risks in I. S. are the reverse of the control objectives and must be treated as business risks. As such they are the responsib ility of executive management with enforcement at a technical level. Obviously, the relative importance of risks will vary and the control techniques will vary from industry to industry and from company to company. The risks may be minimised but they can never be totally eliminated. Computer System Threats Threats may come from either external or internal sources and may be intentional or unintentional as well as malicious or non-malicious. Internal threats may come from: Users Management IS Auditors IS Staff Others Acting alone or in collusion. Users Threats from this source are the most commonly occurring and include errors, fraud, breach of confidentiality (commonly accidentally) or malicious damage. The most common causes of these threats are poor supervisory control combined with poor personnel procedures. In many cases far too much power has been granted to users who already have access to the assets. In many cases the users have an in-depth knowledge of the systemââ¬â¢s control weaknesses and are in a position to exploit them. Management Threats here again include error and fraud but may also include systems manipulation for Corporate reasons such as profit smoothing or advance booking of sales or delayed recording of costs. Again breach of confidentiality is a hazard together with malicious damage. Common causes here are likely to involve inadequate segregation of duties with management, in many cases, unquestioned regarding decisions they make and transactions they authorise. This, combined with poor personnel procedures and too much power granted, can lead to major problems, particularly when combined with managementââ¬â¢s access to assets and their authority to override conventional control levels. IS Auditors A commonly ignored threat, IS auditors again are in a position to commit errors or fraud, to breach confidentiality or cause malicious damage. In many cases there is little or no supervisory control exercised and far too much power granted. The auditors have access to the assets and a detailed knowledge of system weaknesses. In addition they have the right to attempt to break the system, although it is not supposed to be for their gain. IS Staff Threats here include the normal problems of error, fraud and breach of confidentiality as well as malicious damage. In this case, however, the impact of errors etc. tend to be further reaching since they may affect, not single transactions, but every transaction passing through a system. Once again the most common problem is accidental destruction rather than deliberate sabotage. Common causes are typically too much power granted, for example granting of access to live data; poor change control and ineffective division of duties. In many cases computer staff hold the keys to the kingdom and again they have the power associated with knowledge of the system. Others Other people also have access to computer systems, including engineers, salespersons etc. Threats here include again errors, fraud, loss of confidentiality as well as malicious damage and accidental destruction. Common causes in these cases include poor disposal of outputs, careless talk, inadequate access control both physical and logical, publicity and the advent and promotion of open systems. External Threats Threats may come from legitimate external users as well as inter-computer links such as the Internet, Electronic Data Interchange systems, system hackers and viral attacks as well as from natural causes. Such threats are commonly caused by inadequate logical access control resulting in high value systems being unguarded. A poor security attitude within staff coupled with an incorrect concept of Computer Security and an incorrect risk evaluation can also open up such exposures. Risk Management With such a plethora of risk exposures, management must adopt a position on risk. It may involve any or all of accepting the risk, reducing the risk (normally by increased internal control) or transferring the risk. The option which is NOT acceptable is simply ignoring the risk. In order to adopt an appropriate position, management must know and understand the risk. The Risk-based Audit Approach In order to achieve an audit which is both efficient and effective, the risk-based approach allows the auditor to focusing in areas of highest impact. The initial audit activity is therefore to gather or update information about the organisation in order to determine the audit strategy. This determination includes forming audit judgments regarding the organisation and assessing the inherent and control risks in order to determine the appropriate audit testing plan. Inherent risk may be seen as the risks the organisation faces without the mitigating impact of internal controls. Control risks involved those elements of inherent risk not successfully mitigated by the internal control structures. The initial information required would include knowledge of the organisations business and place within its industry, as well as a knowledge of the applicable accounting, auditing and regulatory standards within the industry. These allow the determination of the overall business objectives of the organisation or departmental function. Once the business objectives have been determined the auditor may proceed to identify and isolate the individual details control objectives. For example, the overall objective of the purchasing function is to buy items for the organisation. The control objectives for this function would include ensuring that only the right items are purchased, at the right price, in the right quantity, of the right quality, in an authorised manner, for delivery to the right place at the right time. The risks then become those factors which can prevent fully or partially the achievement of the control objectives. The auditor must then determine which controls will mitigate those risks and what source of evidence exists as to the adequacy and effectiveness of that mitigation. Even prior to testing, the auditor can determine the adequacy of the control structures designed to mitigate the risk on the assumption that the controls function as intended. In other words, if all controls function as intended, would the risks be controlled to managementââ¬â¢s predetermined acceptable level. Once the source of evidence has been identified, the auditor can select the appropriate audit technique to determine whether the control objective has been achieved. These techniques could include interviews, reviews of documentation, reviews of systems or the use of computer-assisted audit techniques. After the auditor has decided upon the appropriate audit technique, the appropriate audit tool may be selected. For example if the technique is to interview, the auditor must decide whether the interview will be face-to-face, by telephone, or by videoconferencing. If the technique is to review data on files within the computer, the tool could be generalised audit software, general-purpose software or a specific audit software.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.