Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

IT risk and Financial system

No description
by

Nora Dha

on 24 November 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of IT risk and Financial system

Agenda
IT risk and Financial system
Understanding the risk in supported “system”
IT system architecture
When referring to “system” what actually we are referring to
Interaction between system elements
What is happening in the background when you use the system
Manual Vs. Automated processing
How do we identify which is manual or automated processing?
Key point is
IT system architecture
Interaction between system elements
Manual Vs. Automated processing
IT system risk relation to Financial risk
How IT controls mitigated risk

IT system risk relation to Financial risk
Understanding Risk:
Financial industries depend heavily on the information especially information from computer system therefore risk from the IT system would also present into financial risk as well.
How IT controls mitigated risk
Risk on the IT system could occurs on any layers including Application, Database and Operating system. Despite different layers we can summarized its nature to following categories
Questions?
Feel free to ask any question about the slides

We will continue with the next topic of Basic IT controls
Relationship
When you heard of “Oracle Financial” system this would mean
To have a system we will need the following component
Processing
unit
(Application’s Module)
Recording unit
(Database)
Container
(Operating system)
However number of each component in one system is not limited.

For example
Typical system usually have 1 module, 1 database which are installed onto 1 operating system. For example HR system
Some system will have multiple modules, databases which are installed onto 1 operating system. For example ERP system
How data will be processed from one point to another
How data is manipulated / converted / calculated
Quiz
Purchasing process:
User create PR and manager approved PR on the system
Purchasing staff will be alert of new PR and create PO then submit for approval through the system.

There are 2 approval steps where PO has to be printed and signed by purchasing manager before he can approved this given PO on the system.
PO approval is not only responsible by manager. If budget of the item is beyond his authority, the higher-level management must be the approving person.
PO must be printed in a numerical order

Is this a manual or automated process?

Here
we
go
Answer
Purchasing process

User create PR and manager approved PR on the system

This part is a automated process as you depends the system to make sure of appropriateness of the approver.
Purchasing staff will be alert of new PR and create PO then submit for approval through the system. There are 2 approval steps where PO has to be printed and signed by purchasing manager before he can approved this given PO on the system.
This part has both manual and automated processing
Manual signing which is a manual process
Approved on the system which is a automated process
Risk
Confidentiality
Information is accessible only to authorized user
Integrity
Only authorized change is made to the data
Availability
Information is accessible when required
C
I
A
Get a "Picture" ?
Sample of risk and its implication to the business
Confidentiality
Low level staff could read the critical financial report prepared for top management meeting regarding the acquisition of a competitor.
Sample of risk and its implication to the business
Integrity
Financial data could be modified even it has been reviewed and approved by preparer’s manager.

Sample of risk and its implication to the business
Availability
Accounting and relating information could not be accessed due to system failure during the monthly account closing.
From your view which type of risk would make the most impact ?
Answer: Its depend !!!

The impact / criticality would depend to the context where such risk occurred.
However generally the most concerns risk when come to auditing the Financial statement is “Integrity”

Have you ever heard of the “TJ MAXX” incident in 2007 ?
In March 2007, the company was at the center of major credit card fraud which affected its international operations.
Details of customers' credit cards and debit cards were accessed by computer hackers, exposing 45.7 million customers to potential theft from their accounts.
According to the company this affected customers who used their card between January 2003 and June 2004 at any branch of T.K. Maxx. Details were stolen by hackers installing software via wi-fi in June 2005 that allowed them to access personal information on customers. The breach continued until January 2007.

The company losses estimated at 4.5 Billions dollars.
There was a 20% drop in the TJX Companies stock (symbol: TJX) within weeks of the data security breach

The affect is significant to financial status of the company

Case
Study
2
3
5
4
1
How IT controls mitigated risk
Burnell Property Management (BPM) has lost $40,000 to a suspected fraud
The trigger point

‘‘Three days ago Malcolm had a call from a cashier at Northern Bank.
A scruffy teenager had tried to withdraw $40,000 from an account at a local branch
. The cashier was suspicious.

The account had recently been credited with $40,000 from BPM and the lad didn’t look like one of our landlords. The cashier asked him for evidence that he was entitled to the money received from BPM, but the kid replied that he had lost the relevant paperwork and would forward it at a later date. As the dialogue continued, he became nervous and fidgety. The cashier told him she was going to call BPM. With that, he bolted.’’
BPM Incident History
‘‘A couple of weeks ago we received some money in our office bank account—$40,000, to be precise. It was from Banchor Consulting, a former customer. I guessed that Banchor had paid the amount in error, so I asked David to give them a call and sort it out. He came back about 10 minutes later and told me he had spoken with them and
the amount had indeed been paid by accident
. Later that day he came to me with a request for a payment to a Mr. Steve Agar, explaining that Banchor wanted the money refunded to this individual.’’
David showed me an e-mail from Banchor. It definitely indicated that the money was to be refunded to Steve Agar. I sent the payment and thought nothing of it until this week when the cashier called, at which point I immediately telephoned Banchor.
They had never heard of Steve Agar and denied sending the e-mail.
Anyway, yesterday, David called in sick and now refuses to answer his phone.’’
BPM Payment Process
Our suppliers and employees are paid by BACS, a form of direct deposit. The BACS machine is a computer that links to the bank. We’ve got high-level control over these payments. When we want to make a payment, we put a creator card into the BACS machine and enter a PIN number and the account details of the recipient. The final step is to authorize the payment, which is done by plugging an authorizer card into the system and typing the authorizer PIN number.’’
Considered points
Access to BAC’s cards

Access to staff/ customer and supplier master file

Security of BAC’s system

Integrity of the staff/ customer and supplier master file

Any other invalid transactions ?
Financial Risk
Workstation Log in
Operating System
Log in
Application Log in
Simulating the data flow experience
Access network layer
Oracle financial log in page
Windows log in page
From User's PC
Purchasing Cycle
Revenue Cycle
Expenditure cycle
Payroll cycle
Then the data is ready to be used.
Something is doing the calculation
Something Happen to your input
What is that black box ?
This session will explained to you what is that "magic" black box and how it affect the Financial data and other concerning processes.
Oracle EBS* = Enterprise Business Suite
GL, HR, Purchasing and etc
NatWest Bank IT system Failure 2012
What happen with this bank
A software update was applied on 19 June 2012 to RBS's CA-7 software which controls its payment processing system. It later emerged that the update was corrupted. Customers' wages, payments and other transactions were disrupted. Some customers were unable to withdraw cash using ATMs or to see bank account details. Others faced fines for late payment of bills because the system could not process direct debits.
Completions of new home purchases were delayed, and some people were stranded abroad. Another account holder was threatened with the discontinuation of their life support machine in a Mexican hospital, and one man was held in prison
Cause
Impact
PO approval is not only responsible by manager. If budget of the item is beyond his authority, the higher-level management must be the approving person.
This part has both manual and automated processing
Manual processing: Manual signing complied to the announcement/policy
Automated processing: Approval authority must be divided by system
PO must be printed in a numerical order
This is automated processing. We need to make sure that the PO numbering mechanism should be set in appropriate fashion.
Full transcript