Online Courses
IS Auditing, Controls and Assurance
Online Courses
IS Auditing, Controls and Assurance
  • Information Systems Auditing, Controls and Assurance
  • Introduction to Information Systems (IS) Auditing
    • Risk in Information Systems (IS)
    • Risk Management Process
    • Identify Internal Controls
    • Quiz
  • General IS Audit Procedures
    • Understant the audit areas/subjects
    • Compliance Testing and Substantive Testing
    • Practice Quiz
    • Evidence
    • ISACA Outlines Five Steps to Planning an Effective IS Audit Program
    • Quiz
  • Business Application Development and the Roles of IS Auditors
    • What is business application development process / Systems Development Life Cycle (SDLC)?
      • SDLC Models
    • Feasibility and Requirements
    • Design and Selection
    • Development and Configuration
    • Configuration - Input/Output Controls
    • Implementation
    • Post-Implementation Review
    • Risks Associate with Application Development
    • Role of IS Auditor in SDLC
    • Quiz
  • IS Maintenance and Control
    • IS Maintenance Practices
    • Change Management
    • Documentation
    • Emergency Changes
    • IS Controls
    • Quiz
Powered by GitBook
On this page
  • Risk Assessment
  • Step 1 - Define the impact
  • Step 2 - Define the probability of having risk
  • Step 3 - Identify the risk for different threats and create a risk matrix
  • Step 4 - Rate the risk
  • Risk Mitigation
  • What are the options if senior management still not happy with the existing risk?
  • Avoid the risk
  • Summary
  • Risk re-evaluation
  • Time driven
  • Event driven
  1. Introduction to Information Systems (IS) Auditing

Risk Management Process

PreviousRisk in Information Systems (IS)NextIdentify Internal Controls

Last updated 5 months ago

Risk Assessment

Identify the area of having higher risk.

Step 1 - Define the impact

In this example, the threat will be an earthquake.

Step 2 - Define the probability of having risk

Probability
Definition

  1. Probable

The event is expected to occur

  1. Likely

The evemt will probably occur

  1. Possible

The event might occur at some time

  1. Unlikely

The event could occur at some time but is improbable

  1. Very unlikely

The event could have little or no chance of occurrence

Step 3 - Identify the risk for different threats and create a risk matrix

Step 4 - Rate the risk

1-6: Low

Minor issue of little concern with some small disruptions

7-14: Medium

Requires attention, inconvenience and risk occur

15-25: High

Requires urgent attention, introduce control to reduce risk

Risk Mitigation

Reduce risk using control.

Risk
Control

0%

Eliminate riks -> impossible!!

40%

Username + password + firewall + encryption + biometrics

50%

Username + password + firewall + encryption

60%

Username + password + firewall

80%

Username + password

100%

No control

At which level are we going to stop trying to reduce risk? And who should make that decision? The senior management should!

More control means higher cost.

What are the options if senior management still not happy with the existing risk?

  • Transfer the remaining risk to 3rd party (e.g. insurance)

Avoid the risk

If a bank decides to not offer ebanking.

This is a last resort, as most of the time it can lead to lost of costumers.

Summary

  1. Reduce the risk using control to a level acceptable by senior management

  2. Transfer the risk to a third party

  3. Avoid the risk

Risk re-evaluation

When should we do it?

Time driven

Periodically, without any external factor trigger.

Event driven

When the environment changes.

  • Something changed within an organisation or similar organisations

  • Government regulation

  • Natural disaster