Risk Analysis & Assessment PDF

Summary

This document provides a comprehensive overview of risk analysis, mitigation, and assessment. It explores the relationship between risks and controls, emphasizing the auditor's role in understanding common business risks and related technology risks. The document also details various aspects of risk assessment methodologies, control procedures, and risk treatment options.

Full Transcript

RISK ANALYSIS, MITIGATION & ASSESSMENT SDB3123 IT RISK & AUDIT TS DR SAVITA RISK ANALYSIS ▪The goal of risk analysis is to determine the risks and vulnerabilities to then adequately plan the controls that are needed to lessen those risks ▪The auditing process needs to understand the relationship...

RISK ANALYSIS, MITIGATION & ASSESSMENT SDB3123 IT RISK & AUDIT TS DR SAVITA RISK ANALYSIS ▪The goal of risk analysis is to determine the risks and vulnerabilities to then adequately plan the controls that are needed to lessen those risks ▪The auditing process needs to understand the relationship between risks and controls ▪This means that the auditor must have knowledge of the common business risks and related technology risks as related to the audit Some of the key points that the auditor should have knowledge about our as follows: 1. The purpose and nature of the business and the environment that operates in RISK ANALYSIS 2. How much dependence the business has on technology 3. What other risks associated with IT in any related dependences and how that could impact the goal of the business ISACA has a risk IT framework that is based on a set of guiding principles and features business processes and management guidelines to conform to those principles RISK ANALYSIS To get a good understanding of risk we should have a definition of what a risk if, the ISO has published a definition of risk as the potential that a given threat will exploit vulnerabilities of an asset and thereby cause harm to the organization When analysing IT services the auditor would specifically be looking at the risks associated for the business when using IT services within an enterprise RISK ANALYSIS One of the goals of the risk analysis is to help in mitigating that risk to a manageable point This can be crucial to a business that relies heavily on the support of IT RISK ANALYSIS- The assets of the organization THE RISK OF AN EXPLOIT TO A Processes or objectives of the business VULNERABILITY Damage financially COULD NEGATIVELY Regulatory violations IMPACT: Operational outages RISK ANALYSIS Risk assessment can be characterized by a lifecycle oStarting by identifying business objectives oInformation assets oSystems that generate or store information oSystems that manipulate the assets Risk assessment should first focus on the most crucial assets that could negatively impact the organization Risk mitigation involves identifying controls that can reduce the potential loss Often a control should be analysed through cost benefit analysis What is the cost of the control How will control minimize the risk What level of risk will the organization accept What is the preferred risk reduction method, i.e. terminating the risk, minimizing the probability of the risk, or perhaps minimizing the impact RISK ANALYSIS RISK ASSESSMENT PROCESS Identify Business Objective (BO) Identify Information Assets Perform Periodic Risk Supporting the Business Revaluation (BO/RA/RM/RT] Objectives (BOs) Perform Risk Treatment (RT) Perform Risk Assessment (RA) [Treat significant risks not [Threat > Vulnerability > mitigated by existing controls] Probability > Impact) Perform Risk Mitigation (RM) [map risks with controls in place] Risk-based audits are becoming more popular This approach assesses risk and assists the auditor in deciding to perform either compliance testing or substantive testing The risk-based audit can help the auditor to determine the nature RISK-BASED and extent of needed testing AUDITING Within risk-based auditing, inherent risk, control risk, or detection risk should not be a major concern Auditors don’t rely on risk; they should also rely on the internal and operational controls as well as their knowledge of the companies operations This type of assessment can help later in the cost benefit analysis of the control to the known risk Business risks should include the probable effects of an uncertain event The nature of the risks may be: RISK-BASED ❖Financial AUDITING ❖Regulatory ❖Operational ❖It may also include risks from a specific technology RISK-BASED AUDITING The risk model assessment: Could be as simple as creating weights for the types of risks identified Risk assessment can be a scheme where risks have an elaborate weight-based rating depending on the significance of the risk and the asset being protected This is defines as the risk that information may contain a material error that you go undetected during the audit Inherent risk: The risk that an error exists that can be material or significant when combined with other errors during the course of the audit Control risk: A risk that a material error may exist and may not be prevented or detected in a timely AUDIT RISK AND manner by the internal control system MATERIALITY Detection risk: The risk that the auditor is using inadequate test procedures Overall audit risk: A combination of the above categories used in the audit to assess each specific control Audit risk can describe the level of Risk an auditor is prepared to accept during an audit engagement ▪The auditor might set a target level of risk and adjust the amount of detailed work to minimize this risk ▪material refers to an error that should be considered as significant to any party concerned with the audit AUDIT RISK AND ▪Materiality is a matter of professional judgment that should include a consideration of the effect on the organization being MATERIALITY audited Auditors should have a good understanding of the audit risks when planning the audit ▪This Is certainly a possibility that an audit sample may not detect every potential error in the sample population ▪Using proper statistical sampling, or strong quality control process, can reduce the amount of audit risk Assessing security risks: ❑The auditor should be familiar with how the organization that is being audited approaches risk assessment and treatment RISK ❑Risk assessment should identify, quantify and prioritize risks against the criteria set forth for risk acceptance ASSESSMENT ❑These criteria can set priorities for managing security risks and implementing controls to mitigate those risks AND TREATMENT Risk Assessment is a systematic approach of risk analysis and comparing the estimated risks against the risk criteria to determine the significance of that risk A risk assessment should be performed when there are changes in the environment, security requirements, and the risk situation Treating risks Before deciding on the treatment of a risk, there should be criteria that determines whether risks can be accepted RISK Possible options for risk treatment include: ASSESSMENT i. ii. reducing risk using appropriate controls accepting risks, providing they meet the AND TREATMENT organization's policy criteria for acceptance iii. avoiding risks by stopping the actions that could cause the risks to occur iv. or transferring the risk, example: To insurers or suppliers Controls should be selected based on their ability to reduce risk to an acceptable level i. look at the requirements and constraints of appropriate regulations ii. understanding the organizational objectives iii. operational requirements and constrains RISK iv. cost effectiveness ASSESSMENT It is important to note that some controls might not apply to every information systems environment for all organizations AND TREATMENT Finally it is important to remember that no set of controls can achieve complete security That means that management should implement the following : i. ongoing monitoring ii. Evaluation iii. Improvements to the efficiency and effectiveness of security controls The auditor potentially has a very large variety of audit subjects depending on the organization being audited. each of these areas may have a different type of audit risk. there are many computerized and non computerized methods of performing risk assessment RISK ASSESSMENT these methods range from simple classification of high, medium, or low TECHNIQUES the IS auditor may also be faced with more complex scientific equations providing numeric risk rating One example of a risk assessment approach could use a scoring system to prioritize audits based on risk factors : i. variables should be considered for the following : RISK ii. technical complexity iii. level of control procedures in place ASSESSMENT iv. Level of financial loss TECHNIQUES another form of risk assessment is judgmental, where decisions can be made on business knowledge, management directives, Historical perspectives were or business schools the auditor should consider the level of complexity and detail is appropriate for the audit Risk assessment can be used to determine the areas to be audited based on : RISK Limited audit resources ASSESSMENT information obtained from all levels of management. this can TECHNIQUES help the auditor in determining high risk areas how individual audit is related to the overall organization as well as to the business plans Audit objectives refer to the specific goals that must be accomplished during the audit for example, one objective may be on substantiating that internal controls exist to minimize AUDIT business risks and that they function as required OBJECTIVES one key element in planning the audit objective is translating that basic and wide range objectives into a specific audit objective The auditor should have an understanding of how the general objectives can be translated into a specific control objective. this is important in the planning of the IS audit COMPLIANCE VS SUBSTANTIVE TESTING Compliance testing is gathering evidence to test if an organization is in compliance of control procedures this is different than substantive testing where the evidence is used to evaluate the integrity of transactions, data, or other information Compliance test will determine if controls are being applied in compliance with managers policies and procedures the auditor should understand the objective of the compliance test and of the control being tested comparing this to a substantive test, where the integrity of the processing is being evaluated rather than compliance Both compliance and substantive testing can work together the control is found to be in compliance then the need of substantive testing can be reduced On the other hand if the control shows a weakness then a substantive test can allevitated the doubts of the accuracy or validity what was audited AUDIT RISK MODEL Audit risk model is a tool used by auditors to understand the relationship between various risks arising from an audit engagement enabling them to manage the overall audit risk. Audit risk model suggests that overall audit risk of an engagement is the product of the following three component risks: ❖Inherent Risk ❖Control Risk ❖Detection Risk Audit risk is the risk that an auditor issues an incorrect opinion on the financial statements. Examples of inappropriate audit opinions include the following: Issuing an unqualified audit report where a qualification is reasonably justified; Issuing a qualified audit opinion where no qualification is necessary; Failing to emphasize a significant matter in the audit report; Providing an opinion on financial statements where no such opinion may be reasonably given due to a significant limitation of scope in the performance of the audit. AUDIT RISK MODEL The calculation is: Audit risk = Control risk x Detection risk x Inherent risk These elements of the audit risk model are: Control risk. This risk is caused by the failure of existing controls or the absence of controls, leading to incorrect financial statements. Detection risk. This risk is caused by the failure of the auditor to discover a material misstatement in the financial statements. Inherent risk. This risk is caused by an error or omission arising from factors other than control failures. This risk is most common when accounting transactions are quite complex, there is a high degree of judgment involved in accounting for transactions, or the training level of the accounting staff is low. EXAMPLE ABC is an audit and assurance firm which has recently accepted the audit of XYZ. During the planning of the audit, engagement manager has noted the following information regarding XYZ for consideration in the risk assessment of the assignment: XYZ is a listed company operating in the financial services sector XYZ has a large network of subsidiaries, associates and foreign branches The company does not have an internal audit department and its audit committee does not include any members with a background in finance as suggested in the corporate governance guidelines It is the firm’s policy to keep the overall audit risk below 10% Inherent risk in the audit of XYZ’s financial statements is particularly high because the entity is operating in a highly regularized sector and has a complex network of related entities which could be misrepresented in the financial statements in the absence of relevant financial controls. The first audit assignment is also inherently risky as the firm has relatively less understanding of the entity and its environment at this stage. The inherent risk for the audit may therefore be considered as high. Control risk involved in the audit also appears to be high since the company does not have proper oversight by a competent audit committee of financial aspects of the organization. The company also lacks an internal audit department which is a key control especially in a highly regulated environment. EXPLANATION The control risk for the audit may therefore be considered as high. If inherent risk and control risk are assumed to be 60% each, detection risk has to be set at 27.8% in order to prevent the overall audit risk from exceeding 10%. Working Audit Risk = Inherent Risk x Control Risk x Detection Risk 0.10 = 0.60 x 0.60 x Detection Risk 0.10 = Detection Risk = 0.278 = 27.8% 0.36 THANK YOU

Use Quizgecko on...
Browser
Browser