...Risk-Based IT Audit Risk-Based Audit Methodology Apply to Organization’s IT Risk Management Kun Tao (Quincy) Cal Poly Pomona Author Note This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson. March 2014 Page 1 of 26 Risk-Based IT Audit Table of Contents Abstract .......................................................................................................................................... 3 Introduction .................................................................................................................................... 4 Methodology................................................................................................................................... 6 Risk-based auditing methodology: Risk assessment...................................................................... 6 IT Risk Management................................................................................................................... 7 IT Risk Control Framework........................................................................................................ 8 Identifying assets...................................................................................................................... 13 Determining criticality and confidentiality levels......................................................................14 Threat and vulnerability identification................................................................
Words: 6057 - Pages: 25
...and the District of Columbia, with a strong presence on both the East and West coasts. The Company serves the healthcare needs of its customers through its Rite Aid stores and online pharmacy, riteaid.com. Due to the breadth and scope of its businesses, the Company faces a wide range of competitive challenges including, but not limited to, other retail drugstore chains, supermarkets, convenience stores, pharmacy benefit managers and other mail order prescription providers, Internet pharmacies and ambulatory care health providers. A primary component of the Company's human resources strategy to ensure high caliber leadership is the identification, recruitment, development and placement of key management and business talent. The Rite Aid Board of Directors (the "Board") and executive management team believe that a crucial aspect of executing this strategy is a comprehensive, integrated and straightforward executive compensation platform that provides competitive and differentiated levels of pay based on corporate and individual performance while reinforcing the alignment of executive interests with those of stockholders. When a company is facing issues dealing with corporate compliance, implementing a system to deal with the compliance and corporate governance issues is the best opportunity for the company. The company should develop a process to analyze alternatives and integrate the appropriate opportunity into the company's system. The company will begin by developing an...
Words: 1836 - Pages: 8
...Feedback: What you chose is correct. Part 2 of 5 - 20.0/ 30.0 Points Question 7 of 30 5.0/ 5.0 Points Communicating information to external decision makers is accomplished through ___ as part of the process of ___. A. Financial statements, bookkeeping  B. Financial statements, accounting C. Journal entries, bookkeeping D. Journal entries, accounting Answer Key: B Feedback: What you chose is correct. Question 8 of 30 5.0/ 5.0 Points Human judgment is important in which of the following AIS tasks: (i) designing source documents, (ii) recognizing recordable transactions. A. I only B. II only  C. Both I and II D. Neither I nor II Answer Key: C Feedback: What you chose is correct. Question 9 of 30 0.0/ 5.0 Points Courses intended for freshmen at a local university are numbered from 100 to 199, while courses intended for seniors at the same university are numbered from 400 to 499. Which coding system is the university using? A. Sequential B. Block  C. Hierarchical D. Mnemonic Answer Key: B Feedback: What you chose was incorrect. Question 10 of 30 5.0/ 5.0 Points As an internal control measure in the accounting cycle, physical security most clearly applies to:  A. Source documents B. The balance sheet C. The income statement D. The statement of cash flows Answer Key: A Feedback: What you chose is correct. Question 11 of 30 5.0/ 5.0 Points ...
Words: 1867 - Pages: 8
...# 2 Chapter 4 – Risk Management In the 1970s, corporate and political campaign finance corruption was running rampant. The United State Securities and the Exchange commission and the United States Congress together ratified campaign finance law reforms and the 1977 Foreign Corrupt Practices Act. These two laws made it a criminal offense for any corporations or persons to be involved in global bribery and required all companies to implement internal control systems. In 1985, in response to these reforms 5 major private sector accounting associations together created The Committee Of Sponsoring Organizations, also referred to as COSO, to help sponsor the National Commission on Fraudulent Financial Reporting (Treadway Commission). The 5 associations included the American Institute of Certified Public Accountants, American Accounting Association, Financial Executives International, Institute of Internal Auditors and the Institute of Management Accountants. The original chairman of COSO was James Treadway, which led to it being referred to as the Treadway Commission. This association was formed to inspect, analyze and make recommendations of fraudulent corporate financial reporting. Today this association is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO offers 5 key components to the Internal Control Framework: Control Environment, Risk Assessment, Control...
Words: 1831 - Pages: 8
...Plan As an international plastics manufacturer employing 550 workers and $46 million in projected annual revenues, Riordan Manufacturing Corporation is focused providing customer product solutions and promoting a climate that focuses on the long term viability of the company. An important part of providing customer product solutions is being able to establish long term relationships with clients. This means that the company strives for transparency and ethics in it business dealings with all stakeholders. In the changing, fast moving and global business world today, it is essential that officers and directors are equipped with the resources to analyze and make decisions quickly. Equally important is the ability to assess and mitigate the risks associated with doing business both locally and abroad. This corporate compliance plan serves as the formal written document that outlines the process Riordan uses to both establish and maintain compliance with all applicable federal, state, local and international laws. Legal liabilities of Officers and Directors Riordan is committed to creating a corporation of well informed and properly supported employees that will provide a climate focused on the long term viability of the company (Riordan mission). In order to meet this commitment, it is essential that the officers and directors work to emulate this commitment in decision making and treatment of the entire workforce. Guides and policies on ethical behavior have been further outlined...
Words: 1384 - Pages: 6
...Industries: plastic bottles, fans, heart valves, medial stents, and custom plastic parts (Virtual Organization, 2009). This compliance plan will state the company's legal responsibilities and regulations necessary to continue earning a profit. The plan will address the laws affecting the plastic industry and guidelines to ensure management and employees understand and obey the laws. The focus of the compliance plan will be on managing the legal liabilities of Riordan officers and directors. Riordan Manufacturing was started and founded by Dr. Riordan, a professor of chemistry. The company focused on research and development of plastic substrates. In 1992 the company purchased a fan manufacturing plant in Pontiac, Michigan. In the year 2000, the fan operation was moved to China. The corporate headquarters that include research and development is located in San Jose, California. Plastic beverage containers are produced in Albany, Georgia and custom plastic parts are produced in Pontiac, Michigan (Virtual Organization, 2009). The compliance plan will include an Alternative Dispute Resolution (ADR) to resolve a dispute, product liability to address risks against defective product claims, international laws regarding the plant in China, tangible and intellectual property laws, laws regarding the corporate form of business and protection to the interests of public and private investors through a Corporate Governance Plan. Alternative Dispute Resolution (ADR) The definition of...
Words: 4306 - Pages: 18
...Risk Management The COSO ERM Framework was created to assist companies identify, assess, and manage the risk to effectively execute the objectives with the organization. ERM (Enterprise Risk Management) reflects fundamental concepts that organizations should follow to have solid business structure for risk management. The ERM framework layout shows the types of objectives within the organization, the components of Enterprise Risk Management, organizational unit, or any subset. There are four types of objectives in the ERM Framework: Strategic, Operations, Reporting, and Compliance. Objectives are what an organization wants to achieve. Each objective addresses different organizational needs with senior managers having different responsibilities. As the COSO ERM framework states “[ERM] can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives”. Strategic deals with high level goals, Operations have broad goals, Reporting focuses on the reliability of reports, and the Compliance enforces laws and regulations. There are eight components that are integrated into the business management process. Internal Environment sets the tone for the way the organization views and addresses the risks and control; Objective Setting make a foundation for the operations, reporting, and compliance objectives, which create acceptable levels of risk size...
Words: 377 - Pages: 2
...The title of this study is “Success Factors for Implementing Enterprise Risk Management” by David Bowling and Lawrence Rieger. Enterprise risk management (ERM) has become a topic of increasing interest over the years. Continuing regulatory scrutiny and COSO releasing a new framework is driving this discussion. The general area of study for this research is ERM implementation, more specifically, implementing COSO’s framework. Companies are starting to realize the benefits of having a framework in place and the value it brings to their organization. The specific purpose of this article is to dissect the components of COSO’s ERM Framework. The author’s then describe how to take that framework and implement it into business practice, while discussing some of the challenges that may be encountered. The author’s take a minute to quickly review the COSO Framework and explain the importance of corporate governance. Companies must establish their risk appetite before implementation. Implementation takes time but is a key component of the corporate governance framework. Corporate governance addresses the needs of all stakeholders which ensures the sustainability of the company in the long term. A qualitative method was used in this study. Three of the challenges encountered during implementation were lack of support from upper management, insufficient resources and the stamina/focus to last throughout the process. Some of the success factors are a focus on strategy and business...
Words: 350 - Pages: 2
...Risk Management Risk is a commonly used term and its usually linked with bad impacts on our objectives. The Oxford English Dictionary defines risk as “a chance or possibility of danger, loss, injury or other adverse consequences”. There is no agreeable technical definition of risk, as it went through many developments. The first stage was the management of threats, only then the term is extended to cover the threats and the opportunities which face the organizations. The latest stage is the management of the threats, opportunities, uncertainties and its sources. Therefore, Dowie argues to ban the use of the term “risk” in risk management because it is too misleading. The definition will be used in this paper is the Australia/New Zealand standard definition which is "The chance of something happening that will have an impact on objectives". The reasons of using this definition are the simplicities and the coverage of the negative and positive effects on objectives. Risk management has been around for thousands of years (Bernstein, 1996). The Risk management term was first introduced in the 1950s by the insurance industry. The first textbook published about risk management was in 1963, titled “Risk management and the Business Enterprise” by Robert I. Mehr and Bob Hedges (D’Arcy and Brogan, 2001). Risk management is an integrated process and risk mangers need to assist the company’s business process are constant with its strategies, and the what is the relation between risk...
Words: 2124 - Pages: 9
...Risk is a commonly used term and its usually liked with bad impacts on our objectives. The Oxford English Dictionary define risk as “ a chance or possibility of danger, loss, injury or other adverse consequences”. There is no agreeable technical definition of risk as it went through many developments. The first stage was the management of threats only then the term is extended to cover the threats and the opportunities which face the organisations. The latest stage which is the management of the threats, opportunities, uncertainties and its sources. Of uncertainty (Ward and Chapmen, 2003). Therefore, Dowie argues to banned use the term “risk” in the risk management because of its misleading. The definition will be used in this paper is the Australia/New Zealand standard definition which is "The chance of something happening that will have an impact on objectives" (Australia/New Zealand Standard, 1999). The reasons of using this definition are the simplicities and the coverage of the negative and positive effects on objectives. Risk management has been done for thousands of years (Bernstein, 1996). The Risk management term was first introduced in the 1950s by the insurance industry. The first text book published about risk management in 1963 titled Risk management and the Business Enterprise by Robert I. Mehr and Bob Hedges (D’Arcy and Brogan, 2001). Risk management is a integrated process and risk manger need to assist the company’s business process are constant with its...
Words: 1225 - Pages: 5
...Actuarial Society Committee on Enterprise Risk Management has adopted the following definition which includes the purpose of ERM : “ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short – and long-term value to its stakeholders.” In the US, COSO published its ERM-Integrated framework in 2004. COSO identified a need for robust framework to help companies effectively identify, assess, and manage risk. The resulting framework has eight components and four objectives. The eight components are:- * Internal Environment- It encompasses the tone of an organization, and sets the basis for how risk and control are viewed and addressed by an entity’s people. * Objective setting –Objectives must be aligned with the organization’s risk appetite, which derives risk tolerance levels for the organization. * Event identification-Management identifies potential events that, if they occur, will affect the entity’s ability to successfully implement the strategy and achieve objectives adversely or positively. * Risk Assessment-It allows an entity to consider the extent to which potential events have an impact on achievement of objectives. * Risk response-It includes risk avoidance, reduction, sharing and acceptance. * Control Activities-These are the policies & procedures that help ensure the management’s risk responses are carried out...
Words: 1368 - Pages: 6
...| Deakin UniversityAssignment Attachment SheetFaculty of Business and Law | Date received | This form must be completed, signed and attached to each assignment you submit within the Faculty of Business and Law. If submitting online, this form must be completed and submitted with your assignment. Last NamePlease use block letters, and enter your name as it appears on your Deakin student card | First Name | Student ID | Li | Ke | 900335188 | Unit code | Unit name | Campus | Lecturer/Tutor/Unit Coordinator | MAF754 | Enterprise Risk Management | | Lecturer: David SewellPeter | | | | Tutor: | Assignment number / title | Due date | Assignment 2: A research paper of enterprise risk management for Sinomaster(SMT) group | 25 May 2012 | If this assignment has been completed by a group or team:1. Each student in the group must complete and sign a separate form;2. The assignment will be returned to the student in the group nominated below.*This assignment was completed in a group or team: No (circle or delete as necessary)The assignment should be returned to the student named on this form: No (circle or delete as necessary) | Plagiarism and Collusion Plagiarism occurs when a student passes off as the student’s own work, or copies without acknowledgement as to its authorship, the work of another person. Collusion occurs when a student obtains the agreement of another person for a fraudulent purpose with...
Words: 3717 - Pages: 15
...Commission (COSO) Enterprise Risk Management (ERM) – Integrated Framework (2004) is a guideline for managing risk and understanding internal controls. The eight components of the COSO ERM Framework are as followed: internal environment, objective setting, event identification, risk assessment, control activities, information and communication, and lastly, monitoring. Here we define/describe these eight components: a. The Internal Environment captures the tone of the organization and the sets the standard on how risk is viewed and addressed by the entity’s members. The entity will define such things as: risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. b. The Objective Setting is the objectives that exist before management identifies potential events that will affect their achievement. c. Event Identification are internal and external events affecting achievement of an entity’s objectives that are indentified, then distinguished between risks and opportunities. d. Risk Assessment is simply risks that are analyzed as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. e. Risk Response is avoiding, accepting, reducing, or sharing risk. Management develops a set of actions to align risks with the entity’s risk tolerances and risk appetite. f. Control Activities are policies and procedures that are established and implemented to help ensure the risk responses...
Words: 1036 - Pages: 5
...AC503 Annotated Bibliography Austin, Stephen G. (July 2012 ). Updated COSO framework will help audit committees comply with SOX . In Journal of Accountancy. Retrieved November 5, 2012, from http://www.journalofaccountancy.com/Issues/2012/Jul/Audit-committees.htm. This reference will be used for the expectations for the future part of my research for SOX. It is current in the feelings of Sox this year. It also gives some insight on what will be changes for the future in regards to the upgrade to the model of “providing new guidance regarding monitoring, enterprise risk management (ERM), enhanced board oversight, and quantifying risk appetites for corporate America.” Lowengrub, Paul. (December 6, 2005). The Impact Of Sarbanes Oxley On Companies, Investors, & Financial Markets. In Sarbanes-Oxley Compliance Journal. Retrieved November 5, 2012, from http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=1141. This source provides a snap shot of impact on companies from SOX . I wanted to use this for provided glimpse of what accounts were expecting 5 years later. It’s sort of a progression at intervals. McConnell, Donald K. Jr. and George Y. Banks . (September 2003 ). CPAs will have to develop new procedures and scrap some old ones. In How Sarbanes-Oxley Will Change the Audit Process. Retrieved November 5, 2012, from http://www.journalofaccountancy.com/issues/2003/sep/howsarbanesoxleywillchangetheauditprocess.htm. This source was opinioned at the time of when changes were...
Words: 315 - Pages: 2
...I have prepared the following Enterprise Risk Management (ERM) plan for your review. This plan was developed for use in Riordan Industries, Inc., Riordan Manufacturing, and all other Riordan ventures, subsidiaries, and partnerships. Unless otherwise noted, the term “Riordan” will refer to any or all of these entities. I have used the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework as a guide for recommendations regarding internal controls and corporate governance. The goal of this document is to provide a broad enterprise level framework that unifies the various parts of Riordan, to create an integrated whole. In doing so, the ERM mitigates the legal liability of the officers and directors of Riordan. Alternative Dispute Resolution It is reasonable to assume that in the course of business, Riordan will encounter conflict with a customer, a vendor, an employee, or some other person or organization. Riordan Manufacturing currently retains an independent law firm to handle all legal matters. Aside from the practice of keeping an attorney on retainer, Riordan appears to have no particular dispute resolution process in place. If a conflict escalates to the point that legal action is taken, it is most likely in Riordan’s best interests to settle disputes through the process of mediation. Mediation is preferable to other methods of dispute resolution for several reasons: Riordan avoids the risk of a potentially hostile venue or jury...
Words: 2026 - Pages: 9
