C8 IT Risk Assessments

ITRiskAssessmentsSFISACAFallConferenceSeptember20032IntroductionsEnterpriseRiskServicesKevinFried–PartnerMonicaO’Reilly–SeniorManagerDuyNguyen–ManagerParticipantsNameCompanySessionobjectives3AgendaRiskAssessmentOverviewITRiskAssessmentObjectivesITRiskAssessmentMethodologyITRiskAssessmentToolCaseStudy4ApplicationsofRiskAssessmentsBoardofDirectorsEnterprise-wideRiskAssessmentSpecificRiskAssessmentITRiskAssessmentManagementSelfAssessmentControlSelfAssessmentKeyPerformanceIndicatorsContinuousMonitoringInternalAuditRiskAssessmentFinancialAuditRiskAssessmentExecutiveManagementLineManagementInternalAuditorsExternalAuditorsandRegulators5ITRiskAssessmentObjectivesIdentifyITrisksthatmaypreventtheITorganizationfromachievingitsbusinessobjectives–comprehensiveriskidentificationiscrucialforthedevelopmentofriskmitigationstrategiesDevelopandmaintainanunderstandingoftheITenvironment(infrastructureandcriticalapplicationsystems)Identifyissuesand/orpotentialchangesintheITenvironmentthatresultinnewrisksObtainmanagement’sinputandconsensusongoals,initiatives,risksandissuesDeveloparisk-basedannualauditplan6RiskAssessmentandAuditPlanDevelopment•Considerriskfactorssuchasfinancialsignificance,controlenvironment,regulatorycompliancerequirements,andsystemsreliance•Summarizeresultsofbusinessactivityriskassessment•Developaudituniverse•Prioritizeaudituniversetopicsbasedonsignificanceandlikelihoodofoccurrence•Interviewkeymanagement,boardmembers,otherpersonnel•Identifykeybusinessstrategies,processes,activities,andrisks•Reviewfinancialresults,businessplans,andpriorinternalauditreports•Identifybusiness,industry,legislative,andregulatoryissues•Compileindustryleadingpractices•Developproposedrisk-basedauditplan•ConfirmconclusionswithmanagementandtheAuditCommittee•FinalizeannualinternalauditplanDataGatheringAssessmentPlanDevelopment7DataGatheringIdentifyPotentialFocusAreas(TechnologyOverview)Location/FunctionalUnitsMaturityofTechnologyMaturityofITProcessesBusinessUse/CriticalityPersonnelSkillLevelProjectsReviewRelevantReportsandIndustryInformationInterviewKeyManagement8TechnologyOverviewInventoryManagementHumanResourceLegalOperatingSystemsAccessControlChangeControlHardwareEnvironmentManufacturingSystemsAdministrativeCoreBusinessSystemsReportingOtherCustomerManagementProductQualityManagementPortalDataWarehousesERPReportingERP/Financials1.4ComplianceSalesInfrastructureInformationTechnologyProcesses9ReviewReportsandIndustryInformationInternalAuditReportExternalAuditReportITMetricsSystemavailabilityOutagesandprocessingerrorsNumberandnatureofchangesSystemusageandcapacitySpecificResearchStudiesandReports(Gartner,etc.)VendorTrainingIndustryBenchmarking/CompetitiveAnalysis/MarketTrendsGovernmental&RegulatoryRequirements10InterviewKeyManagementCIO/CTO&OtherKeyITPersonnelVariousApproachesforConductingInterviewsGroupvs.IndividualSessionsAnonymousVotingvs.OpenDialogueFormalQuestionnairesvs.FreeFlowingDiscussionsInterviewQuestions(DiscussRiskFactors)CurrentGoals&ObjectivesUpcomingChangesRisksfortheCompanyRisksinMeetingtheirGoals&ObjectivesInternalAuditExperience&ExpectationsDocumentResults&IdentifyCommonThemes11AssessmentEvaluateRiskFactorsFinancialSignificanceControlenvironmentRegulatoryComplianceSummarizeRisksLikelihood/ImpactDefineAuditPlanDevelopIndividualAuditPlans12EvaluateRiskFactorsTypesofRisk(COSODefinitions)OperationalRisk–Operationalefficienciesandadherencetomanagerialpolicies;includesdetailedoperationalcontrol(systems&technologies,policies,staffing,product/processchanges,businessinterruption)FinancialRisk(volume,complexity,reporting,liquidity,safeguarding)•Authorization-Thereisproperauthorization/segregationofduties.•Recording-Dataiscomplete,accurateandrecordedtimely.•Safeguard-Assetsaresafeguarded.•Reconciliation-Theaccountsbalanceandreconcileandanydifferencesareidentified.Regulatory/ComplianceRisk-Theregulations,policies,andproceduresgoverningtheeventsandaccountsareinplaceandbeingfollowed(law,regulations,compliance,specialreporting,codeofconduct,culture,ethics,selfassessment,riskmanagementactivities)13SpecificRiskFactorsOperationalRiskFactorsInternalControls–DocumentedPolicies&Procedures,PriorYearAuditResults,OverallQuality,Frequency,LastTimeManagement&KeyPersonnel–Turnover,Competence,Integrity,MoraleDepartmentGoals&Objectives–PerformancePressure,ConsistencywithCorporateGoals,Achievability,CompetitivePressureSystems–Age,Complexity,Automation,Changes,Decentralization,ImportanceBusinessRisks–SizeofOperation,Decentralization,Importance,Complexity,Volume,Growth,RecentPerformanceFinancialRisks–Materiality(assets,revenue),Complexity,VolumeRegulations–Changes,Complexity,IndustryConsideration14SummarizeRisksQuantitativevs.QualitativeAnalysisQuantitativeBenefits-feelsscientific,perceivedas“moreobjective”,granularityofanalysisWeaknesses-withoutweightedriskfactors-resultsmaybemisleadingQualitativeBenefits–usesbusiness/auditorjudgment,lesscomplicatedandtime-consumingNegative–consensusmaybedifficultOurRecommendationUseablendedapproach!!!15SummarizeRisksHighR