RISK MANAGEMENT

OF THE IS FUNCTION
Chapter 6
Auditor’s Guide to Information Systems Auditing

1
Learning Objectives
1. Introduce the concept of computer risks and exposures and
includes the development of an understanding of the major
types of risks faced by the information system (IS) function,
including the sources of such risk as well as the causes.
2. Emphasize management’s role in adopting a risk position, which
itself necessitates a knowledge of the acceptable management
responses to computer risks.
3. Examine risk and its nature and the corporate environment and
looks at the internal audit need for the appropriate risk analysis
to enable risk-based auditing as an integrated approach.

2
What is Risk?
• “Risk” is the possibility that one or more individuals or organizations
will experience adverse consequences from those choices.
• Risk is the mirror image of opportunity.
• All entities encounter risk regardless of their size, corporate
structure, nature of business, or type of industry.
• All business decisions involve elements of risk whether it is a
decision regarding the financing of the business, addition or
deletion of product lines, or the sources and methods of supply to
the organization.

3
Risk Identification
• Risks cannot be eliminated, only managed, but this requires an
entity-wide risk identification.
• Risk identification may be done as part of the planning process
either on a “zero base” or as incremental to the last review. Risks
may arise from internal or external factors and the factors
themselves may be interrelated.

4
Board Responsibility
• The Board has responsibility for determining the strategic direction
of the organization and for creating the environment and the
structures for risk management to operate effectively. This may be
through an executive group, a non-executive committee, an audit
committee or such other function that suits the organization’s way
of operating and is capable of acting as a ‘sponsor’ for risk
management.

5
Board Responsibility
• The Board should, as a minimum, consider, in evaluating its system
of internal control:
• The nature and extent of downside risks acceptable for the company to
bear within its particular business
• The likelihood of such risks becoming a reality
• How unacceptable risks should be managed
• The company’s ability to minimize the probability and impact on the
business
• The costs and benefits of the risk and control activity undertaken
• The effectiveness of the risk management process
• The risk implications of board decisions2

6
Auditing in General
• Auditing in general involves an annual risk assessment and
planning exercise to determine the overall audit coverage required.
• This is followed by individual audit planning.
• The preliminary review is used to obtain and record an
understanding so that an audit area may be broadly evaluated.
• From this evaluation, the extent of compliance testing or
substantive testing required may be determined.
• After the testing is completed and the results evaluated, audit
reporting must take place. This is typically addressed to the first
level of management able and empowered to take effective action.
• After the report is agreed and issued, a follow-up is required to
ensure any agreed action has taken place.
7
Auditing in General
• The auditor needs to identify the appropriate control objectives,
then to identify what is needed to accomplish control, to identify
where responsibility lies, and whether a management, system, or
physical control is appropriate.
• Identifying control objectives is done via the risk profile. The
control objectives will have unique weightings for your site
although the fundamental objectives of availability, completeness,
accuracy, confidentiality, and integrity will not change.
• All controls implemented will involve cost/benefit trade-offs.

8
Auditing in General
• Problems that will commonly be encountered as a result of
computer risks include:
• Erroneous record keeping
• Unacceptable accounting
• Business interruption
• Erroneous management decisions
• Fraud and embezzlement
• Loss or destruction of assets
• Competitive disadvantage
• Excessive costs
• Paralysis of the business

9
Auditing in General
• Typical causes of computer risks in companies include no risk
evaluation having been done. This commonly results in an incorrect
view of computer controls.
• No allocation of responsibilities and a lack of management involvement
lead to inadequate segregation of duties.
• Poor supervision and poor personnel procedures can lead to problems
with inadequate access control.
• Open systems and a lack of user awareness coupled with the common
problem of human errors combine to leave an unacceptable risk
position.

10
Auditing in General
• Auditors normally consider three types of risks when utilizing the
risk-based audit approach.
• Inherent risk is the likelihood of a significant loss occurring before taking
into account your risk reducing factors.
• Control risk measures the likelihood that the control processes
established to manage inherent risk are proved to be ineffective.
• Audit risk is the risk that significant business exposures have not been
adequately addressed by the audit process.

11
Auditing in General
• Auditors normally consider three types of risks when utilizing the
risk-based audit approach.
• Inherent risk is the likelihood of a significant loss occurring before taking
into account your risk reducing factors.
• Control risk measures the likelihood that the control processes
established to manage inherent risk are proved to be ineffective.
• Audit risk is the risk that significant business exposures have not been
adequately addressed by the audit process.
• The auditor must always bear in mind the cost of controls in
reducing risks and that, at some point, a management decision may
be taken to implement no further controls and accept the residual
risk.

12
Elements of Risk Analysis
• Risk analysis involves the estimating of the significance of a given
risk and assessing the likelihood or frequency of the risk occurring.
• Risk analysis in an organization involves process analysis, which
requires the identification of key dependencies and control nodes.
• It looks at the processes within a business entity and identifies
cross-organizational dependencies.
• It looks at where data originates, where it is stored, how it is
converted to useful information, and who uses the information.

13
Elements of Risk Analysis
• In practice this is a management decision where cost-benefit
analysis usually results in some portion of the risk being managed
and some portion remaining.
• Management should review the residual risk on an ongoing basis
and from an exposure standpoint.
• Most risk analysis ignores collusion (two or more people acting
collectively) or management override of the system of internal
control.
• Nevertheless, meaningful risk analysis substantially increases the
probability of achieving objectives.

14
Defining the Audit Universe
• Computer risk. Probability that an undesirable event could turn into
a loss.
• Computer exposure. Results from a threat from an undesirable
event that has the potential to become a risk.
• Vulnerability. A flaw or weakness in the system that can turn into a
threat or a risk.

15
List of Computer Risks
• Loss of sales or revenues • Inability to stay ahead of the
competition
• Failure to meet government
requirements or laws • Inability to stay independent without
being acquired or merged
• Loss of profits
• Inability to maintain present
• Loss of personnel customer/client base
• Inability to serve customers • Inability to control costs
• Inability to sustain growth • Inability to cope with advancements
• Inability to operate effectively and in technology
efficiently • Inability to control employees
• Inability to compete successfully for involved in illegal activities
new customers • Damage to business reputation
• Complete business failure

16
Computer System Threats
• Threats may come from either external or internal sources and may
be intentional or unintentional as well as malicious or non-
malicious.
• Internal threats may come from users, management, IS staff, IS
Auditors, and others, either acting alone or in collusion.

17
Computer System Threats
• Users: Threats from this source are the most commonly occurring
and include errors, fraud, breach of confidentiality (commonly
accidentally), or malicious damage.
• Management: Threats here again include error and fraud but may
also include systems manipulation for “corporate” reasons such as
profit smoothing or advance booking of sales or delayed recording
of costs.
• IS Staff: Threats here include the normal problems of error, fraud,
and breach of confidentiality as well as malicious damage.
• IS Auditors: A commonly ignored threat, IS Auditors again are in a
position to commit errors or fraud, to breach confidentiality, or
cause malicious damage.

18
Computer System Threats
• Others: Other people also have access to computer systems,
including engineers, salespersons, and so forth. Threats here
include again errors, fraud and loss of confidentiality, as well as
malicious damage and accidental destruction. Common causes in
these cases include poor disposal of outputs, careless talk,
inadequate access control both physical and logical, publicity, and
the advent and promotion of open systems.
• External Threats: Threats may come from legitimate external users
as well as inter-computer links such as the Internet, electronic data
interchange systems, system hackers, and viral attacks as well as
from natural causes. Such threats are commonly caused by
inadequate logical access control resulting in high-value systems
being unguarded.

19
Risk Management
• With such a plethora of risk exposures, management must adopt a
position on risk. It may involve any or all of accepting the risk,
reducing the risk (normally by increased internal control), or
transferring the risk.

20
Risk Management
• Risk-Based Audit Approach
• Risk assessment must be carried out in order to permit the efficient
allocation of limited IS Audit resources and to ensure that all levels of
management have been checked and that the audit effort is focused on
areas of highest business impact.
• Risk assessment is then the basis for audit department management
because it summarizes the impact of the selected subject on the overall
business.
• The initial audit activity gathers or updates information about the
organization in order to determine the audit strategy.
• The initial information required would include knowledge of the
organization’s business and place within its industry, as well as a
knowledge of the applicable accounting, auditing, and regulatory
standards within the industry.

21
Risk Management
• Risk factors to consider:
Date and results of last audit
Financial exposure and potential loss and risk
Requests by management
Major changes in operations, programs, systems, and controls
Opportunities to achieve operating benefits
Quality of the internal control framework
Competence of management
Complexity of transactions
Liquidity of assets
Ethical climate and employee morale

22
Risk Management
• Risk factors to consider:
Date and results of last audit
Financial exposure and potential loss and risk
Requests by management
Major changes in operations, programs, systems, and controls
Opportunities to achieve operating benefits
Quality of the internal control framework
Competence of management
Complexity of transactions
Liquidity of assets
Ethical climate and employee morale

There are two possible assessment methods for the auditor to

choose from.
Objective Assessment utilizes only quantitative attributes of auditable 23
units such as the value of throughputs, the value of
Risk Management
There are two possible assessment methods for the auditor to
choose from.
Objective Assessment utilizes only quantitative attributes of auditable
units such as the value of throughputs, the value of assets under control,
the number of personnel, or the volume of transactions. In this
methodology, there is no weighting of risk factors undertaken.
The alternative assessment method uses Subjective Assessment,
whereby each risk factor may be weighted on a scale representing
degrees of concern, thus allowing the auditor to express his or her (or
management’s) feelings regarding risk materiality.

24
Risk-based Auditing
• Risk-based auditing involves integrating the concepts of high-level
risk analysis into the development of the overall audit plan. The
audit plan itself may be differentiated between mandatory audit
activities and discretionary audit activities.
• Mandatory audit activities are those activities that must be carried
out within the time span of the audit plan and include legal or
regulatory requirements, senior management requirements, and
external auditor liaison requirements.
• Discretionary audit activities should be decided upon using risk
factors that should be limited to the most important ten or less to
keep the process manageable. Risk factors must apply to a variety
of products and services across the company.

25
Risk-based Auditing
• Common risk factors within information systems include the
following:
• Monetary values handled within individual applications.
• Disclosure of information to a third party could seriously impact the
organization and could, in some cases, jeopardize the future viability of
the organization.
• Loss of information could, under some circumstances, also threaten the
existence of the business.
• Failure to comply with legal statutes or regulations will normally result in
some form of sanction, frequently monetary.
• The technical complexity of systems is very much a judgment call for a
system classed as extremely complex by one organization but may be
seen to be the norm at another.
• For many modern organizations unavailability of systems has become a
major threat and for many businesses an extended period of
unavailability could result in their rapid closure of the business. 26
Risk-based Auditing
• Establishing a detailed risk profile involves assessment of a range of
security-threatened areas including:
• Physical security
• Personnel security
• Data security
• Applications software security
• Systems software security
• Telecommunications security
• Operations security

27
Risk-based Auditing
• Assessing the risk could involve measuring and evaluating the
number of users on the system, the security awareness of those
users, the value of assets under the direct control of the systems,
the degree of user sophistication, and outsider access.
• In addition, the effectiveness of password management and change
control must be considered as well as the access rights of both
operations and development staff.
• Controls such as the scrutiny of logs may also be seen to reduce
risk.

28