Assignment Two
10/12/2016
Internal Audit Senior Managers are asking you to develop a Risk and Control Matrix for the IT audit entity you plan to audit and incorporate the RCM into the Audit Planning Memo your team worked on.
The risk and control matrix should identify and key risks associated with the operating systems you are going to audit and should be created in a table format (Ref. to RCM Template) and should contain the following components:
- Risk Events (C.I.A) & Risk Description Detail – Answer the “so what” question
- Inherent Risk Rating Rationale (Likelihood, Impact)
- Inherent Risk Rating (H/M/L)
- Expected Controls (What should be in place to mitigate the risk identified)
- Control Assessment (evaluating of the design of the controls – Hypothetical)
Sample IT Risk Definition:
- IT Governance
- System Development
- System Documentation
- Library Management and Change Control
- Information Security
- Desktop and Servers
- Infrastructure Disaster Recovery
- Data Center Operation Services
- Data Center Physical Security
- Data Transmission
- Data Integrity
- End User Computing
- Telecommunication
- Vendor Resilience
Due Date: EOD 10/26/2016
Sample RAM Template:
risk-assessment-matrix-template
Email to: Liang.yao@temple.edu Please call me or email me should you have any questions regarding the completion of this assignment BEFORE the due date.
Assignment # 2 Discussion Points
- Risk category: Common risk category related to technology discussed in the class including: financial risk, operational risk, legal risk, reputation risk, compliance risk, etc. what your team stated here is the control breakdown…let me know if you have further questions related to this review note.e.g “malicious software”; “default password” are NOT risk category…
- Risk Statement -> “so what” question, what can eventually go wrong and the consequences? e.g. weak password control; pervasiveness of privileged account assignment; lack of system patching policies and procedures, etc.,Example One: “Loss of critical company information due to unethical matters related to ADP payroll reporting efficiency could result in reputational damage to the company or potential litigation against the company.”Example Two: Not a risk statement, it’s a description of controls – “Policies that govern crucial aspects of OS activities should be reevaluated on current basis, making sure that the procedures and particular activities are achieving their objectives. Policies and Procedures that do not account for changing environment create loopholes that can be abused by external entities..”
- Rating Rationale – Explaining risk rating from “Likelihood” and “Impact” aspects
- Inherent Risk Rating – Impact/Likelihood/Overall; DO NOT take control into consideration.Good Example: “Inherent risk is medium because it is very difficult to account for every single scenario when writing policies and procedures (and it would not be reasonable to do so). Policies and Procedures should balance the level of control with the level of productivity, leaving some degree of flexibility to the employees.”
Example: “The server is accessed by an unauthorized user which could lead to data corruption or theft.” – Not risk rationale
Example: “Lack of scheduled updates and maintenances creates security vulnerabilities.”
- Why is “High” risk
- Assessing the “Controls”
- Expected Control vs. Current/Actual Control
- Information gathering
- Separate different type of controls; One risk can be mitigated by multiple controls; Primary vs. secondary controls (partial controls)
- Control Statement
- Example: “Currently the policies and procedures are reevaluated by the IT department every 3 months.”
Example: “AC5 Output Review, Reconciliation and Error Handling AC4 Processing Integrity and Validity.”
- Assess the “Design of the controls” – Adequate or inadequate
- Testing the “Operating Effectiveness” of the control – Effective or Ineffective or Inconclusive
- Why it’s important to assess the “Inherent Risk” accurately?
- If multiple controls identified to mitigate the risk, break down each control separately
- Control design assessment: (a) adequate or not (b) why?
- Using Word for assignment #3