Risk Analysis Assessment.pdf

Transcript

RISK ANALYSIS, MITIGATION &
ASSESSMENT
SDB3123 IT RISK & AUDIT
TS DR SAVITA
RISK ANALYSIS
▪The goal of risk analysis is to determine the risks
and vulnerabilities to then adequately plan the
controls that are needed to lessen those risks
▪The auditing process needs to understand the
relationship between risks and controls
▪This means that the auditor must have knowledge of
the common business risks and related technology
risks as related to the audit
 Some of the key points that the auditor should have
knowledge about our as follows:
1. The purpose and nature of the business and the
environment that operates in
RISK ANALYSIS 2. How much dependence the business has on
technology
3. What other risks associated with IT in any related
dependences and how that could impact the goal
of the business
 ISACA has a risk IT framework that is
based on a set of guiding principles and
features business processes and
management guidelines to conform to
those principles

RISK ANALYSIS
To get a good understanding of risk we
should have a definition of what a risk if,
the ISO has published a definition of risk
as the potential that a given threat will
exploit vulnerabilities of an asset and
thereby cause harm to the organization
 When analysing IT services the auditor
would specifically be looking at the risks
associated for the business when using IT
services within an enterprise

RISK ANALYSIS
One of the goals of the risk analysis is
to help in mitigating that risk to a
manageable point

This can be crucial to a business that
relies heavily on the support of IT
RISK ANALYSIS- The assets of the organization

THE RISK OF AN
EXPLOIT TO A Processes or objectives of the business

VULNERABILITY Damage financially
COULD
NEGATIVELY Regulatory violations

IMPACT:
Operational outages
RISK ANALYSIS
Risk assessment can be characterized by a lifecycle
oStarting by identifying business objectives
oInformation assets
oSystems that generate or store information
oSystems that manipulate the assets

Risk assessment should first focus on the most crucial assets that could
negatively impact the organization
Risk mitigation involves identifying controls that can reduce the
potential loss
Often a control should be analysed through cost benefit analysis
What is the cost of the control
How will control minimize the risk
What level of risk will the organization accept
What is the preferred risk reduction method, i.e. terminating the
risk, minimizing the probability of the risk, or perhaps minimizing
the impact

RISK ANALYSIS
 RISK ASSESSMENT PROCESS
Identify Business Objective (BO)

Identify Information Assets
Perform Periodic Risk
Supporting the Business
Revaluation (BO/RA/RM/RT]
Objectives (BOs)

Perform Risk Treatment (RT) Perform Risk Assessment (RA)
[Treat significant risks not [Threat > Vulnerability >
mitigated by existing controls] Probability > Impact)

Perform Risk Mitigation (RM)
[map risks with controls in place]
 Risk-based audits are becoming more popular

This approach assesses risk and assists the auditor in deciding to
perform either compliance testing or substantive testing

The risk-based audit can help the auditor to determine the nature

RISK-BASED and extent of needed testing

AUDITING Within risk-based auditing, inherent risk, control risk, or detection
risk should not be a major concern

Auditors don’t rely on risk; they should also rely on the internal and
operational controls as well as their knowledge of the companies
operations
This type of assessment can help later in the cost benefit analysis of
the control to the known risk
 Business risks should include the probable effects of an
uncertain event
The nature of the risks may be:
RISK-BASED ❖Financial
AUDITING ❖Regulatory
❖Operational
❖It may also include risks from a specific technology
RISK-BASED
AUDITING
The risk model assessment:
Could be as simple as creating
weights for the types of risks
identified
Risk assessment can be a scheme
where risks have an elaborate
weight-based rating depending
on the significance of the risk and
the asset being protected
This is defines as the risk that information may contain
a material error that you go undetected during the
audit

Inherent risk: The risk that an error exists that can be
material or significant when combined with other
errors during the course of the audit

Control risk: A risk that a material error may exist
and may not be prevented or detected in a timely
AUDIT RISK AND
manner by the internal control system
MATERIALITY
Detection risk: The risk that the auditor is using
inadequate test procedures

Overall audit risk: A combination of the above
categories used in the audit to assess each specific
control
 Audit risk can describe the level of Risk an auditor is
prepared to accept during an audit engagement
▪The auditor might set a target level of risk and adjust the
amount of detailed work to minimize this risk
▪material refers to an error that should be considered as
significant to any party concerned with the audit
AUDIT RISK AND ▪Materiality is a matter of professional judgment that should
include a consideration of the effect on the organization being
MATERIALITY audited
Auditors should have a good understanding of the audit
risks when planning the audit
▪This Is certainly a possibility that an audit sample may not
detect every potential error in the sample population
▪Using proper statistical sampling, or strong quality control
process, can reduce the amount of audit risk
 Assessing security risks:
❑The auditor should be familiar with how the organization
that is being audited approaches risk assessment and
treatment

RISK ❑Risk assessment should identify, quantify and prioritize risks
against the criteria set forth for risk acceptance

ASSESSMENT ❑These criteria can set priorities for managing security risks
and implementing controls to mitigate those risks
AND TREATMENT Risk Assessment is a systematic approach of risk analysis
and comparing the estimated risks against the risk criteria
to determine the significance of that risk
A risk assessment should be performed when there are
changes in the environment, security requirements, and
the risk situation
 Treating risks
Before deciding on the treatment of a risk, there
should be criteria that determines whether risks can be
accepted

RISK Possible options for risk treatment include:

ASSESSMENT i.
ii.
reducing risk using appropriate controls
accepting risks, providing they meet the
AND TREATMENT organization's policy criteria for acceptance
iii. avoiding risks by stopping the actions that could
cause the risks to occur
iv. or transferring the risk, example: To insurers or
suppliers
 Controls should be selected based on their ability to reduce
risk to an acceptable level
i. look at the requirements and constraints of appropriate
regulations
ii. understanding the organizational objectives
iii. operational requirements and constrains
RISK iv. cost effectiveness

ASSESSMENT It is important to note that some controls might not apply to
every information systems environment for all organizations

AND TREATMENT Finally it is important to remember that no set of controls can
achieve complete security
That means that management should implement the following :
i. ongoing monitoring
ii. Evaluation
iii. Improvements to the efficiency and effectiveness of security
controls
The auditor potentially has a very large variety of audit
subjects depending on the organization being audited. each
of these areas may have a different type of audit risk.

there are many computerized and non computerized
methods of performing risk assessment RISK
ASSESSMENT
these methods range from simple classification of high,
medium, or low TECHNIQUES
the IS auditor may also be faced with more complex
scientific equations providing numeric risk rating
 One example of a risk assessment approach could use
a scoring system to prioritize audits based on risk
factors :
i. variables should be considered for the following :

RISK ii. technical complexity
iii. level of control procedures in place
ASSESSMENT iv. Level of financial loss
TECHNIQUES another form of risk assessment is judgmental, where
decisions can be made on business knowledge,
management directives, Historical perspectives were or
business schools
the auditor should consider the level of complexity
and detail is appropriate for the audit
 Risk assessment can be used
to determine the areas to
be audited based on :
RISK Limited audit resources
ASSESSMENT information obtained from all
levels of management. this can
TECHNIQUES help the auditor in determining
high risk areas
how individual audit is related to
the overall organization as well as
to the business plans
 Audit objectives refer to the specific goals that must
be accomplished during the audit

for example, one objective may be on
substantiating that internal controls exist to minimize

AUDIT business risks and that they function as required

OBJECTIVES one key element in planning the audit objective is
translating that basic and wide range objectives
into a specific audit objective

The auditor should have an understanding of how
the general objectives can be translated into a
specific control objective. this is important in the
planning of the IS audit
 COMPLIANCE VS SUBSTANTIVE TESTING
Compliance testing is gathering evidence to test if an organization is in compliance of control
procedures
this is different than substantive testing where the evidence is used to evaluate the integrity of
transactions, data, or other information
Compliance test will determine if controls are being applied in compliance with managers policies
and procedures
the auditor should understand the objective of the compliance test and of the control being tested
comparing this to a substantive test, where the integrity of the processing is being evaluated rather
than compliance
Both compliance and substantive testing can work together
the control is found to be in compliance then the need of substantive testing can be reduced
On the other hand if the control shows a weakness then a substantive test can allevitated the doubts
of the accuracy or validity what was audited
 AUDIT RISK MODEL
Audit risk model is a tool used by auditors to understand the relationship between various
risks arising from an audit engagement enabling them to manage the overall audit risk.
Audit risk model suggests that overall audit risk of an engagement is the product of the
following three component risks:
❖Inherent Risk
❖Control Risk
❖Detection Risk
Audit risk is the risk that an auditor issues an incorrect opinion on the financial statements.
Examples of inappropriate audit opinions include the following:
Issuing an unqualified audit report where a qualification is reasonably justified;
Issuing a qualified audit opinion where no qualification is necessary;
Failing to emphasize a significant matter in the audit report;
Providing an opinion on financial statements where no such opinion may be reasonably
given due to a significant limitation of scope in the performance of the audit.
 AUDIT RISK MODEL
The calculation is:

Audit risk = Control risk x Detection risk x Inherent risk

These elements of the audit risk model are:
Control risk. This risk is caused by the failure of existing controls or the absence of controls,
leading to incorrect financial statements.
Detection risk. This risk is caused by the failure of the auditor to discover a material misstatement
in the financial statements.
Inherent risk. This risk is caused by an error or omission arising from factors other than control
failures. This risk is most common when accounting transactions are quite complex, there is a high
degree of judgment involved in accounting for transactions, or the training level of the accounting
staff is low.
EXAMPLE
ABC is an audit and assurance firm which has recently accepted the audit of XYZ.
During the planning of the audit, engagement manager has noted the following
information regarding XYZ for consideration in the risk assessment of the assignment:
XYZ is a listed company operating in the financial services sector
XYZ has a large network of subsidiaries, associates and foreign branches
The company does not have an internal audit department and its audit committee
does not include any members with a background in finance as suggested in the
corporate governance guidelines
It is the firm’s policy to keep the overall audit risk below 10%
 Inherent risk in the audit of XYZ’s financial statements is particularly high
because the entity is operating in a highly regularized sector and has a
complex network of related entities which could be misrepresented in the
financial statements in the absence of relevant financial controls. The first audit
assignment is also inherently risky as the firm has relatively less understanding
of the entity and its environment at this stage. The inherent risk for the audit
may therefore be considered as high.
Control risk involved in the audit also appears to be high since the company
does not have proper oversight by a competent audit committee of financial
aspects of the organization. The company also lacks an internal audit
department which is a key control especially in a highly regulated environment.

EXPLANATION The control risk for the audit may therefore be considered as high.
If inherent risk and control risk are assumed to be 60% each, detection risk has
to be set at 27.8% in order to prevent the overall audit risk from exceeding
10%.
Working
Audit Risk = Inherent Risk x Control Risk x Detection Risk
0.10 = 0.60 x 0.60 x Detection Risk
0.10 = Detection Risk = 0.278 = 27.8%
0.36
THANK YOU