AuditNet
Resource List
Audit
Programs
AuditNet Virtual
Library
AuditNet
Newsletter
Ask
the Auditor
AuditNet
Mailing Lists
Audit
Jobs
Travel
Career Links
Partner
Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising
Opportunities
About AuditNet
About Jim
Kaplan
AuditNet Seminars
Risk Analysis and Management:
N.Nagarajan I.A.& A.S
Introduction:
Risk can be defined as any perceived threat or disruption to an ongoing activity. This risk can be broadly categorized in to one due to Management and Organization, Accuracy and completeness, Security, Auditability and timeliness and recoverability.
The scope and direction for audit work should be determined by assessing those areas representing the greatest risk to the organization. There are many approaches to risk analysis, but ideally it acts as a process for risk management within the organization separate and apart from auditing. If risk assessment and management is not a formal process within the organization, then the auditor must assess risks and risk management and find ways to communicate with management to assure consistent views on risks.
Sometimes auditors
will focus on business controls, forgetting that controls exist for the
purpose of managing risk. Auditors, too, may pursue risk reduction rather
than perceiving the importance of risk management.
Often managers
outside of auditing do not think of management responsibilities in terms of
controls. Instead they think of the processes and activities they manage,
and consider how to manage risks. Therefore, an important communication tool
for auditors is a clear and understood identification and assessment of
risks. On the one hand, managers understand risks and can probably describe
the most significant risks facing them. On the other hand, auditors can
supplement the manager’s list of risks by asking questions about the types
of things auditors know that can typically go wrong. It is generally more
effective to proceed from a discussion of risks to an assessment of the
controls than to start by talking about controls.
The list of risks
provided by management and supplemented by the auditor is the first element
of the auditor’s risk analysis. The next steps involve assessing the
probabilities of exposures resulting from risks and the potential costs. For
this, an auditor can use tools as simple as spreadsheets or databases, or
can opt for more complex systems possibly tied into an integrated audit
management system. Whatever the approach and tools used, the auditor’s
risk assessment should be shared with management and a general consensus
sought to ensure effective communication of objectives, priority and scope
of the audits.
Case Study:
1 Risk
assessment and Management in an EDI environment:
1.1 Carrying out a risk analysis and management reviews enable management to make objective decisions on the risks to its systems. It also identifies the justifiable counter measures to maintain the confidentiality, integrity and availability of IT systems
Basic criteria are 1) current situation, 2) threat
faced, together with an assessment of vulnerability, 3) value or impact of
these risks in business terms, 4) how these risks may be reduced, mitigated,
transferred or eliminated, 5) why action needs to be taken and 6) what
actions are available, consequences and cost benefit of each.
1.2
Observation:
To a query whether formal risk analysis has been done
and management method used to provide an objective assessment of level of
protection needed to reduce security risk the Department has replied that
all required measures have been taken to prevent security breach and
remained silent about the risk analysis. It was observed during audit that
the Department has not carried out a comprehensive risk assessment.
The Department has stated that they do not have the
necessary competence or resources to conduct risk assessment. The Ministry
of Finance has been requested to provide same.
The Department has also stated that it is quite a
complex task to accurately assess threats and vulnerability and audit’s
recommendation to have a proper risk analysis based on CRAMM system is being
considered.
In the absence of a comprehensive risk assessment and
management method audit is unable to ascertain the systems capability to
overcome risks and function normally in the eventuality of materializing of
risks
1.3
Risk:
Type
|
Perceived risk
|
Management and Organization
|
Risk of EDI
on the organizations control structure
|
Accuracy
and completeness
|
EDI gives
scope to generate inaccurate and inappropriate transaction
|
Security
|
EDI
introduces risks in the area of unauthorized transaction sets and
improper use and disclosure of business information
|
Auditability
|
Loss of
proper audit trails and difficulties in manual verification
|
Timeliness
and recoverability
|
Risks like
disruption/delays in processing or transmission, increased dependence
and increased vulnerability of
operation, domino effect on partners
|
This may result in business
discontinuity, (e.g. the longer a fraud remains undetected more loss in
terms of value and confidence and adverse publicity). Any disruption in
service may have an impact on customer satisfaction, loss of confidentiality
of sensitive information (Inadvertent disclosure in mail box system),
increased exposure to fraud and increased reliance on third parties. Data
processing and communication errors results in transmission of incorrect
trading information and also results in reporting of inaccurate information
to the management. Ultimately it may result in possible loss of audit trail.
1.4
Recommendation:
Threats and vulnerabilities should be identified and
their levels accurately assessed in terms of fire, water damage, natural
disaster, staff shortage, willful damage, theft, system infiltration, misuse
of resources, equipment power or environmental failure, errors by operators
programmers engineers or users. The Department should ensure that results
are consistent across the broad spectrum of systems reviewed. Formal risk
analysis and management methods are now more necessary than ever to cope
with complex security problems presented by the IT systems.
Type
|
Recommendations
|
Management and Organization
|
Should
assess the impact of EDI on organizations control structure and ensure
that the risks are properly managed
|
Accuracy
and completeness
EDI gives scope to generate inaccurate and in appropriate transaction |
Integrity
controls should be designed upfront into EDI systems to ensure that
transactions are accurate and complete at the interchange, functional
group and transaction set level
|
Security
EDI introduces risks in the area of unauthorized transaction sets and improper use and disclosure of business information |
Controls
should ensure that all related software & data are adequately
protected against unauthorized disclosure or change during storage or
transmission, that physical access is restricted and most cost
effective EDI security solution is pursued
|
Auditability
Loss of proper audit trails and difficulties in manual verification |
Controls
should ensure that adequate audit trails with regard to transaction
data and the ability to pre verify and adequately monitor electronic
authorization controls and integrity controls are maintained
|
Timeliness
and recoverability
Risks like disruption/delays in processing or transmission, increased dependence and increased vulnerability of operation. |
Controls
should ensure that appropriate backup, retention and contingency plan
are in place to minimize the system outage or transmission failure on
existing system and other partners
|
Department must undertake a proper risk analysis method based on CRAMM and must develop a contingency plan for any risks. It
v Should set up EDI industry workgroup
v Must specify interchange standards, security operations,
v Must review risk associated with the application and assess the extent of additional controls required,
v All potential risks should be identified and assessed.
v A record log of all matters relating to breakdown in computer security should be kept to assist and prevent future risks.
v Data security and formal data communication policy should be formulated.
Department
has agreed with the views of audit to have a comprehensive Risk Analysis
done.
Conclusion:
Risk assessment is an
iterative process, the result of which should be maintained in such a way as
to facilitate reference and updating by auditors during subsequent audit
projects.