The devil lies in the details, IT risk assessment and IT risk management, what detail differentiate them? With the growth in the need of Information security and risk management, the terms IT risk assessment and IT risk management could be confusing to most of executives dealing with risk-based audits and compliance of the organization.
The Committee of Sponsoring Organizations’ (COSO) has provided an Enterprise Risk Management Framework in 2004. This was an influential move towards focusing efforts on internal controls and prioritization of review tasks when auditing internal controls. Based on the COSO framework, IT risk assessment evolved to provide support for building IT audit project plan. Further, financial auditors became more dependent on the outcome of the risk-based IT audits to substantiate their audit scope.
IT risk assessment is a component of the IT audit process. Regardless of the framework and methodology used, it focuses on identifying technical risks in a technology dependent environment. This entails identifying a risk such as denial of service attack and quantifying the probability of the risk happening. The best method to arrive to an acceptable risk value is to apply the following equation:
Risk = Asset x Vulnerability x Threat
Assets are given a coefficient values based on a certain range. Any quantitative range used can be qualitatively mapped to the ranges of the other factors. The objective is to arrive to a risk rate mapped to a tolerance scale, usually: High, Medium and Low. Although the usual practice is to use same scale, the following table illustrates an example of the different options that can be used as different scales:
IT risk assessment is part of IT risk management, which entails treatment plan. In IT risk assessment, the treatment options are unnecessary. The High, Medium and Low values are used as input for other tools, mainly IT audit plan. IT auditors benefit from the IT risk assessment in many ways that involve understanding of the IT set up, an overview of the structure of the IT, and a snapshot of the risk areas of the IT. For these reasons, IT risk assessment should be a prelude to audits and other review initiatives of the IT environments.
IT risk assessment methodology change for different environments and different industries, but the core objective is to identify areas, with certain risk values, where an intensive review should be conducted. For a bank, for example, major risks lie in operations and for a retail in POS. In that view, industry should also be a factor in building the risk universe (the set of applicable risks), which help in building an overall business operational understanding, when planning for risk based IT audits.
Most conspicuously, IT risk assessment is a prerequisite to IT audit, mainly to reduce the audit efforts where risk is low and to substantiate audit procedures where risk is high. While it is unnecessary to implement a treatment options for the identified risks, IT risk assessment benefits auditors and reviewers in many ways essential to the understanding of the IT environment.
Industry model is beneficial in providing aid to contemplating the risks associated with a specific setup in a specific industry. This is done using methods such as brainstorming, which is a very effective technique following Osborn’s method. In another sense, IT risks are not fixed in a stateless condition waiting to be identified. IT risks are variable in nature and comprise of vulnerabilities and associated threats. Identifying risks is a direct exercise when auditors consider the above equation.
The values of identified risks are called inherent risk scores and they represent the risks as naturally provided through the initial risks identification process. Inherent risks have associated controls that are applied in a reactive manner to the underlying asset. An example can be, password protection to a server, a locker to a network switch, or a review of a certain log. Subsequently, controls can be categorized as detective or preventive. As much as preventive controls are preferable, they are expensive to implement. When going through another round of risk assessment exercise and considering existing control measures, we produce a list of residual risks. Essentially, residual risks are the main factors in building a risk treatment plan or, in our initiative, in understanding the IT environment, in provisioning for IT audits, and in planning review initiatives.
In conclusion, IT Risk assessment is the result of [IT risk management] less [IT risk treatment options]. It is used to prioritize the review areas of the IT environment. Below is an example of how review can be executed based on IT risk assessment output. For a complete review, auditors have to examine the details of the process in a substantial manner. For a selected targeted review, auditors have to examine a targeted sample (60% or 70 %) of the details of the process. For a random selection review, auditors have to examine a random sample of (30% to 40%) of the details of the process.
Table 1: Sample Quarterly IT Audit Plan
Finally, the IT audit plan needs to align to the overall internal audit plan. In principle IT audit is part of the internal audit operations. The IT audit output feeds to internal audit plan and provides input to the internal audit planning process, in which internal audit head plan for the IT audits. Whether audits are performed based on risk assessment or not, IT risk assessment remains a necessity to pave the way for IT auditors to perform their jobs. In environment where risk assessment is conducted for all operations, IT risk assessment will align with the overall risk assessment plan to create visibility to the business operational and IT risks.