The success of every business hinges on her ability to carryout a quality risk assessment process. Risk assessment is a scientific method/ technique used to determine areas of a business that are more vulnerable to threats- internal or external. Due to the change rules that govern businesses, auditors and other information systems (IS) professionals have been handed over a new cup of challenge which includes IT Audit.
The change in business rule was necessitated by the pervasiveness (encompassing) of IT and dependence on IT for business processes. This then means that IT risk assessment has now become a significant portion of overall risk assessment of a business. Yet, many auditors still struggle with the issue or, if convinced of the importance of IT risk assessment, the question; how do I perform it becomes prominent.
If you are among the class of auditors that are wondering on how to carryout an effective audit of IT risk assessment in an entity, worry not as this article is for you. And if you already have an IT risk assessment skills, read on as this article will surely add one or two value to your IT audit knowledge bank.
BASICS OF AUDITING IT RISK ASSESSMENT
We are going to take a question approach to assessing the IT risk of a company. Since the primary/ main focus of an IT risk assessment is to identify risks that IT presents to the business, then it will be wiser to base your IT risk assessment on two broad questions
(1) What is the magnitude of the risk (monetary or otherwise)
(2) What is the probability of occurrence?
The aim of the above two questions is to enable an IT auditor to only identify material risk. Material risks are the probabilities that an outcome with negative that can significantly affect business operations will be achieved. After all, risk is assessed as both probability of occurrence and a magnitude of effect or the product of the two.
Armed with these two questions, one can then proceed into other four aspects of IT risk assessment:
- FIRST ASPECT- RISK IDENTIFICATION
Below are some of the various ways that the auditor can employ to identify IT risk of a company.
- Obtain a copy of the current IT risk assessment document. This is in the case when management already has an IT risk assessment document. Also, auditors should obtain a copy of the company’s operational business plan. The business plan should include: goals, objectives, weaknesses, strengths and strategies of the business. Other documents that the auditors can assess are: procedural and policy documents. Where access to the above documents is denied, the auditor should by default set the company’s IT risk at a very high level. These documents when allowed access to should then be reviewed by the auditor to identify the role of IT in the organization and critical points where risks are likely to occur. The auditor should place a high level of IT risk on companies with high reliance on IT infrastructures without adequate countermeasures in place.
- Obtain an understanding of managerial, operational and administrative aspects of IT functions. Is the company cautious of technological changes/ advancement and the new level of risk that always characterize the advent of new technology?
- Gather information about the qualification and competency of key IT staff of a company. The more competent the key staff is, the lower the risk level of the company as far as IT is concerned.
- Get information about the harmony between IT infrastructures and company’s objectives. Are IT investments made in the wrong IT? Investment in the wrong information technology will increase the risk of losses associated with mismanagement of information technology. The returns from IT investments should be adequate to meet a company’s required rate of return. This may not necessarily be the case at all time as there are IT projects that will be embarked on just to satisfy other non-financial factors of investment appraisal.
- A working knowledge of the change management process of the company should be sought. Does the IT function of the company include the writing or modification of codes? If yes, to what degree is the best practices of systems development life cycle (SDLC) adhered to? The higher the degree of adherence to SDLC best practices, the lower the IT risk of IT functions and that of the company as a whole.
- Access control policy of the company should be evaluated in the light of information security best practices. How easy is it for people to have access to a company’s information system? How many times in the past has there been any reported case of unauthorized access to critical information and IT infrastructure? This evaluation should include assessment of both logical and physical access control measures.
- SECOND ASPECT- IDENTIFICATION AND MANAGEMENT OF MULTIPLE AND CROSS-ENTERPRISE RISKS. This aspect of IT risk assessment attempts to identify various vulnerable points and check if there are countermeasures in place to help checkmate any eventuality. Special attention should be paid to enterprises that we have dealings with. For example, softwares and applications should be tested to ensure that no threat will be introduced into the company.
- THIRD ASPECT- TAKING INTO CONSIDERATION RESTRICTING FACTORS THAT CONTRIBUTES TO IT RISK. Regulations, rules, standards and laws that have the potential of increasing IT risk should be assessed in the light of company’s current practice. Privacy Act is a good example of this. Companies should ensure strict adherence to all enactments made.
- FOURTH ASPECT- IDENTIFYING THE RISK OF DOING NOTHING. Four options are open to a company as far as risk is concerned. They are:
- Mitigate the risk,
- Transfer the risk,
- Assume the risk, and
- Do nothing
IT risk is not an exception in this case; the effect of doing nothing about IT risk should be identified and assessed. Questions like, what do we stand to lose in the case of business interruptions that are related to IT risks? Should be asked so as to get an insight into what the company stands the chance of losing in the case of eventuality.
Acquisition of the right skills and judicious application of the tips given in this article should help every auditor position him/her self better to carry out quality IT risk assessment.
To your success as an auditor!