Beruflich Dokumente
Kultur Dokumente
Author Note
This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson.
March 2014
Page 1 of 26
Risk-Based IT Audit
Table of Contents
Abstract .......................................................................................................................................... 3
Introduction .................................................................................................................................... 4
Methodology................................................................................................................................... 6
IT Risk Management................................................................................................................... 7
Identifying assets...................................................................................................................... 13
Risk calculation......................................................................................................................... 16
Audit universe........................................................................................................................... 17
Audit plan.................................................................................................................................. 18
Preparation phase.................................................................................................................. 19
Assessment phase.................................................................................................................. 19
Mitigation phase.................................................................................................................... 20
Reporting phase.................................................................................................................... 20
Follow-up phase.................................................................................................................... 20
Data analysis................................................................................................................................. 22
Conclusions................................................................................................................................... 25
References .................................................................................................................................... 26
Page 2 of 26
Risk-Based IT Audit
Abstract
Risk-based auditing is a broad topic, one that can be applied to many areas such as finance and
information technology (IT). The paper discussed how implementing the IT risk management
framework can enhance the efficiency of IT risk management and risk reporting efforts. The
paper provided a quick overview of the IT risk management and control framework, ways to
identify business risk, as well as efficient and effective IT risk management practices IT auditors
need to consider. This paper also focuses on IT risk assessment from an enterprise risk-based
organizations to develop an internal IT audit program, or those looking for new ways to assess
security risks.
Page 3 of 26
Risk-Based IT Audit
Introduction
to become more complex every day. By its very nature, it is fraught with risk. The increased
demand for transparency around risk has not always been met, however, as evidenced by the
financial market crisis, where the poor quality of underlying assets significantly impacted the
value of investments, identifying, managing, and exploiting risk across an organization has
opportunities and which represent potential pitfalls. Risk assessment gives organizations a clear
view of variables to which they may be exposed, whether internal or external, retrospective or
forward-looking. A good risk assessment is anchored in the organization’s defined risk appetite
and tolerance, and it provides a basis for determining risk responses. A robust risk assessment
identify, evaluate, and exploit the right risks for business, all while maintaining the appropriate
controls to ensure effective and efficient operations and regulatory compliance. (A practical
systems, management is concerned with the rising costs associated with performing audits of the
organization’s functioning, organizational management often pushes forth to ensure the proper
and efficient operation of the audit department. However, that’s brought forth the highly
lucrative cost benefits of outsourcing the information system audit function. There are also
instances where an information systems audit is not the core competency of the internal audit
Page 4 of 26
Risk-Based IT Audit
change the company's control environment. Also IT is critical to ensure operational assets are
used effectively and maintain the integrity and reliability of the organization's financial reporting
process. (Risk IT: Based on COBIT Objectives and Principles, Fischer, 2009). Implementing the
Risk-Based Audit Methodology should not only enhance the efficiency and effectiveness of IT
risk management, business operations, and risk reporting, but also highlights the unique role that
IT plays when identifying events or incidents that may affect the organization's ability to achieve
its objectives.
To identify IT risks using the Risk-Based Audit Methodology, auditors can help
companies conduct an enterprise-wide risk assessment. (What Every IT Auditor Should Know
About IT Risk Assessment, Tommie W. Singleton, 2009) This also will help to identify any risks
Page 5 of 26
Risk-Based IT Audit
Methodology
staff to meet regulatory requirements, validate that existing controls protect business functions,
and determine when new controls are required. Unlike an audit in which the auditor uses a
checklist and pen to determine compliance, a risk-based audit requires having an understanding
of the organization's business functions and objectives -- to really dig deep within systems and
networks.
"In a risk-based audit approach, information systems auditors are not just relying on risk;
they also are relying on internal and operational controls as well as knowledge of the company or
the business" (ISACA). Thus, a risk-based audit provides a more thorough assessment of
business risk, and enables managers to make informed decisions based on their risk appetites.
Aligning enterprise IT decisions and practices with the level of acceptable risk in an organization
is the driver for beginning a risk-based audit, and it is the risk assessment process that helps
Risk assessment is a systematic process for identifying and evaluating events (e.g.,
possible risks and opportunities) that could affect the achievement of objectives, positively or
negatively. Such events can be identified in the external environment (e.g., economic trends,
regulatory landscape, and competition) and within an organization’s internal environment (e.g.,
people, process, and infrastructure). When these events intersect with an organization’s
objectives—or can be predicted to do so—they become risks. Risk is therefore defined as “the
possibility that an event will occur and adversely affect the achievement of objectives.” (COSO,
Page 6 of 26
Risk-Based IT Audit
Risk appetite or acceptable risk is the amount of risk exposure that a business is willing to
accept. The organization must set a threshold for identifying when and where to implement
controls to mitigate risk. This process is essential to determining what controls are good to have
vs. those necessary to protect business functions. Several risk management methodologies, such
as those by the International Organization for Standardization (ISO) and the National Institute of
Standards and Technology (NIST), provide management with good estimates for assessing
acceptable risk. In some manner, those methodologies commonly include identifying assets,
http://www.pwc.com/en_us/us/issues/enterprise-risk management/assets/risk_assessment_guide.pdf
IT Risk Management
IT risk is a component of the enterprise’s overall risk universe. Information technologies and
Page 7 of 26
Risk-Based IT Audit
systems are a major part of the enterprise infrastructure. Integration and alignment of IT risk and
enterprise or business risk is a necessity. IT risk is business risk—specifically, the business risk associated
with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It
consists of IT-related events and conditions that could potentially impact the business.
The primary view of IT is that of an operations or service delivery organization. In this capacity,
IT risk addresses the ability to deliver the IT services that enable the enterprise to perform day-to-day
operational processes. However, IT risk also addresses system development, acquisition and maintenance
processes. This relates to ensuring the selection, development and maintenance of business processes that
operate the revenue generation and fulfillment of the organization, and address business needs in a cost-
effective manner. Finally, IT risk addresses the ability for IT to provide value and/or benefit to the
enterprise through automation. Risk assessment can therefore be conducted at various levels of the
The objectives and events under consideration determine the scope of the risk assessment
compliance obligations, considering laws and regulations, policies and procedures, ethics
and business conduct standards, and contracts, as well as strategic voluntary standards
and best practices to which the organization has committed. This type of assessment is
typically performed by the compliance function with input from business areas.
assets and information protection and security. This considers infrastructure, applications,
security function.
Page 8 of 26
Risk-Based IT Audit
assessment would consider such factors as processing capacity, access control, data
- Project risk assessment. Evaluation of the risk factors associated with the delivery or
Information Systems Audit and Control Association (ISACA)’s Control Objectives for
Information and Related Technology (COBIT) framework using generally applicable and
accepted good practices. COBIT is a framework for the governance of IT and supporting tool set
that allows managers to bridge the gap among control requirements, technical issues and
business risk. COBIT enables clear policy development and good practice for IT control
throughout enterprises. The COBIT control objective should be identified for each
audit/assurance step in the section. COBIT provides in-depth control objectives and suggested
and drives business processes and includes the primary business functions with the IT
organization.
Page 9 of 26
Risk-Based IT Audit
The primary COBIT processes associated with IT risk management are PO9 Assess and
manage IT risks, and ME4.5 Provide IT governance – Risk management.( IT Risk Management
Page 10 of 26
Risk-Based IT Audit
business and IT regularly assess and report IT-related risks and their impact and that
the enterprise’s IT risk position is transparent to all stakeholders.
(Refer to COBIT 4.1 for the control objectives in their entirety. Refer to ISACA’s COBIT
Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2007)
Control Framework. The importance of the control framework has been enhanced due to
the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries. Enterprises seek to
integrate control framework elements used by the general audit/assurance team into the IT audit
and assurance framework. Since COSO is widely used, it has been selected for inclusion in IT
audit program. The original COSO internal control framework contained five components. In
2004, COSO was revised as the Enterprise Risk Management (ERM) Integrated Framework and
extended to eight components. A robust risk assessment process forms the foundation for an
effective enterprise risk management program. It constitutes a key component of the Enterprise
interrelationships between risk assessment and the other components of enterprise risk
management such as control activities and monitoring and understand the principles and steps
partial information systems department functions, auditing for compliance with internal systems,
technical audit training, and special assistance on a project-by-project basis. ERM’s team of
internal information systems auditors helps organizations to focus on the critical information
Page 11 of 26
Risk-Based IT Audit
systems risks that impact the bottom line of their operations. Organizations that vigorously
interpret the results of their risk assessment process set a foundation for establishing an effective
ERM program and are better positioned to capitalize on opportunities as they arise. ERM
framework can help organizations improve their IT risk management efforts by:
The primary difference between the two frameworks is the additional focus on ERM and
integration into the business decision model. ERM is in the process of being adopted by large
Page 12 of 26
Risk-Based IT Audit
Page 13 of 26
Risk-Based IT Audit
The original COSO internal control framework addresses the needs of the IT audit and
assurance professional: control environment, risk assessment, control activities, information and
communication, and monitoring. As such, ISACA has elected to utilize the five-component
Identifying assets
Organizations cannot protect what they are not aware of, so they must identify all assets,
with a sharp focus on those most critical. Once a full list of assets is obtained, the organization
must categorize them using some taxonomy, or categorization criteria. In a basic sense, assets
Once assets are categorized, the next step is to assign criticality and confidentiality levels.
Page 14 of 26
Risk-Based IT Audit
Criticality and confidentiality levels serve to dictate the specific controls for groups of assets,
based on confidentiality, integrity and availability requirements. The below criteria offers an
After identifying, classifying and assigning criticality levels to assets, the next step is to
Page 15 of 26
Risk-Based IT Audit
identify their threats and vulnerabilities. Threats occur because of vulnerabilities. Vulnerabilities
are weaknesses in people, processes and technology, and are exploited by threats. For instance,
malicious software or malware is a threat that can exploit the vulnerability of having non-patched
systems. Another potential threat is a black out, which can exploit the lack of having generators.
Threats are categorized by business, technical, physical and administrative. It is important for
organizations to not only be aware of their threats and vulnerabilities, but also understand them
Risk calculation
Calculating risk is essential to determining the best use of resources. A simple formula for
calculating risk is, Risk = Asset Value x Threat x Vulnerability. Asset value is more than its
initial cost, the value of an asset increases as resources are applied, and as competitors value it.
Resources are applied towards assets in development, testing, operations and maintenance. In
addition, the information within an asset is of value. For example, a Web server that accepts
customer information, if the database that contains customer information is compromised, its loss
may cause legal penalties and reputation damage. In addition, loss of trade secrets can cause a
decrease in market share and in competitive advantage. Therefore, asset value must take into
account all factors that affect its value. (Availability Risk Assessment — A Quantitative
Calculating a threat value requires looking at its estimated projected loss (PL) and annual
rate of occurrence (ARO). PL is the percentage exposed by the asset if the threat occurs. That is,
if malware compromises the database that holds customer information and 50% data loss is
anticipated, then PL is 50%. We then look at the threat's ARO by determining how often a threat
Page 16 of 26
Risk-Based IT Audit
is projected to occur within a single year. In this case, the projection may be an annual rate of
occurrence of once every two years, or 0.50. This would make our threat calculation 0.25 (PL x
The last calculation before determining risk is deficiency level (DL). DL is the amount of
protection deficient given controls already in place. That is, if existing antimalware technology
in place to protect the company's database is 80% effective, then there is a 20% deficiency level.
Using this figure, along with asset value and threat calculations, we can calculate risk. In this
example, let's use $1,000,000 as the value of the database. In such as case, risk = $1,000,000 x
0.25 x 20% = $50,000. Under this scenario, we can justify an investment of up to $50,000 to
The risk assessment process enables audit teams to prioritize engagements based on risk,
while remaining focused on critical assets that significantly affect business operations. This risk
assessment process is coupled with ranking risks in the audit universe. Remember, these
exercises require some estimation, since each attack or threat vector is different.
Audit universe
The audit universe includes all potential audit entities and processes that may be assessed
by the audit team. Essentially, the audit universe includes the people, processes and technology
that drive the organization's business objectives. Examples of potential areas within the audit
frameworks, policies and boundary protection. Along with determining risk in monetary terms,
Page 17 of 26
Risk-Based IT Audit
Risk ranking is the process of using judgment to score audit entities. The risk ranking
table is calculated using a concern rating scale and the value assigned to each risk area. For
instance, the table below regards Web applications as a high-risk area. The table lists Web
application complexity as a high concern, which has a concern rating of three. The value
assigned to complexity is 1.75; therefore, 1.75 x 3 = 5.25, the risk value for Web applications
complexity.
Given the ranking criteria, the top 20% of audit entities is considered high risk and must
be audited in that year. According to this table, all Web applications and Web servers must be
audited this year. A more comprehensive risk ranking table could rank specific Web
applications, or even each Payment Card Industry Data Security Standard (PCI DSS)
requirement as its own auditable entity. The level of detail in listing entities is dependent upon
the size of the audit universe and the resources available to perform an in-depth risk ranking
assessment. The annual risk assessment and ranking process determines the audit plan.
Audit plan
The audit plan outlines the annual audit schedule, scope, objectives and resources
required to start audit engagements. The audit plan is created using risk assessment results and
risk ranking. The risk assessment truly drives this process as it helps the audit team identify
deficiency levels, unaddressed weaknesses, and areas of concern. In addition to the risk ranking
criteria shown in the table above, other potential criteria are recent technology refresh, recent
mergers, recent acquisitions, new regulations, etc. The audit plan defines roles and
responsibilities, the audit team's methodology, logistics and performance measures. Essentially,
Page 18 of 26
Risk-Based IT Audit
the audit plan serves as the road map with management's approval for the audit team to start
conducting audits.
After the annual process of identifying and ranking risk, and developing the audit plan,
the audit team can begin auditing. The auditing process involves a phased, five-step risk-based
process that includes preparation, assessment, and mitigation, reporting and follow-up. Each
Preparation phase Assessment phase Mitigation phase Reporting phase Follow-up phase
1. Preparation phase
The preparation phase involves individual engagement planning before each audit in the
audit plan. During this phase, the audit team reviews previous working papers, risk assessment
findings, and defines the individual engagement's scope and objectives. The team will listen to
the concerns of management and their operators and then compare that information with their
assessment results. The audit team's focus is to understand the business objectives and functions
2. Assessment phase
The assessment phase involves analyzing systems and process, identifying vulnerabilities
and documenting concerns. During this phase, the auditor may use a checklist, but will rely
heavily upon experience and judgment to interpret results and identify less-noticeable anomalies.
During this phase, it's important to collaborate with operators to validate the significance of risk.
Certain "textbook" findings may seem significant at first, but may be in place for good reason
Page 19 of 26
Risk-Based IT Audit
validate certain results before causing too much stir by listing it as significant on the final report.
Depending on the system, network, or process being audited, some baseline controls exist that
they can be assessed against. For instance, some of these controls include inventorying
authorized and unauthorized devices, boundary defense, application security, malware defense,
data loss prevention, account control, wireless control and data recovery capabilities. In addition
to auditing against baseline controls, it is important to ensure controls are in place that enables
business functions.
3. Mitigation phase
The mitigation phase involves developing the proper controls to mitigate risk. This
process involves socializing requirements with the company and developing mitigation plans.
While some controls may take weeks or months to implement, others can be rectified on the spot.
This phase involves documenting potential controls and the actions taken by operators to
4. Reporting phase
In the reporting phase, the audit team provides a full report to management outlining its
findings. The group will share mitigation plans for ongoing controls, and outline the most
significant findings. This phase involves developing an executive summary with key information
for managers to make security decisions. The executive summary is a high-level overview that
explains "in a nutshell" the security posture of the organization and the next steps required to
5. Follow-up phase
In the follow-up phase, the audit team corresponds and works with the company to ensure
Page 20 of 26
Risk-Based IT Audit
controls are implemented. In a resource-constrained environment, the company may lack the
skill sets to implement certain control mechanisms. Therefore, the auditors may provide insight
into implementing various controls, and will continue to follow up to ensure their
implementation. It is important for the audit team to have a process for tracking overdue or
upcoming mitigation or correction implementations. The team should create a tracking system
that contains an easy-to-follow dashboard that provides the status of implementations and their
due dates.
Page 21 of 26
Risk-Based IT Audit
Data analysis
auditing in risk assessment is all about, let's hypothetic a case scenario that brings it all together.
In this case, we walk through at a high level. This company accepts credit cards within its 100
Company identified all assets and categorized them by type, value and complexity. It
used the risk ranking table below to rank its risk using the listed criteria.
Existing Prior
Management Staff/System
Potential Controls & Complexity Auditing
Concerns Changes Risk
Audit Entity Compliance (1.75) Findings
(1.5) (1.0)
(2.0) (1.5)
Page 22 of 26
Risk-Based IT Audit
After ranking a few audit entities within its audit universe, Company found that its
primary concerns are corporate firewalls and PCI DSS compliance. Specifically, it is concerned
with the "Build and maintain a secure environment" PCI DSS requirement because it recently
lost its primary firewall administrator. The company classified its firewalls as confidential
(requiring strict controls to prevent unauthorized access), with criticality level 1 (requiring a high
level of protection for vital sustainment of business operations). Within its audit plan, the audit
team decides to focus a lot of effort toward its corporate firewalls and the above PCI DSS
requirement.
During the preparation phase, the auditors find that the former firewall administrator
rarely documented firewall changes, had not updated the network topology in several months,
and left junior staff untrained. In order to protect e-commerce data and prevent regulatory
penalties, the audit team agrees to perform a full scrub of each firewall's rule set. It intends to
assess ingress and egress filtering, including the documentation of each rule, and all blocked and
During the assessment phase, the audit team finds that the firewalls used within the
enterprise are at their end-of-life and close to end-of-support by the vendor. This was just one of
many findings, but the most significant that required immediate attention. The audit team worked
with management to determine the value of the firewall assets and cost required to update them.
In the mitigation phase, the group determines that the risk of not replacing the corporate firewalls
is too costly.
circumstances increase the threat and vulnerability calculations to 0.4 and 0.7, respectively,
making the risk level $420,000. This was due to an increase in the threat (projected loss and
Page 23 of 26
Risk-Based IT Audit
annual rate of occurrence) once vendor support is gone, and an increase in deficiency once
vendor support is lost. The Company sets a $400,000 budget to cover maintenance contracts,
training, testing and deployment of the new firewall product. The group then decides to invest an
additional $20,000 to hire an external company to test and validate the effectiveness of its
controls.
In the reporting phase, the audit team recaps the corporate firewall and PCI DSS concerns
with the management team. They cover the next steps required to begin the firewall upgrades and
follow-up milestone dates. To provide positive points, they report some of the shortfalls in the
existing firewall architecture that the administrators were able to correct on the spot. One area in
particular was the "default deny" rule on the firewall. In addition, it covered other areas found
during the audit, including use of an authentication server on infrastructure devices and
Page 24 of 26
Risk-Based IT Audit
Conclusions
This paper highlights the core areas of a risk-based audit applied for IT risk management
and assessment. From the risk assessment and risk ranking process, to assessing and reporting
is important for the audit team to be mindful of the amount of estimation used in the IT risk
ranking process. IT Auditors must be realistic in their analysis of threats and risks in IT
environment, and use measurable numbers when possible. Using this approach on a regular basis
enables organizations to achieve enterprise IT security. Most importantly, this effective IT risk
assessment yields forward-looking insight, not only allowing organizations to avoid IT risks, but
providing greater and more meaningful clarity around the IT risks they do face. Armed with this
insight and perspective, organizations are much better positioned to take the right IT risks, and
can better manage them when they do. In the long run, organizations can continuously reposition
themselves to capitalize on longer-term opportunities are more likely to surpass their business
objectives, and this capability will lead to lasting success in today’s ever changing business
environment.
Page 25 of 26
Risk-Based IT Audit
References
Framework, www.coso.org
vol 1, 2010
5. Risk IT: Based on COBIT Objectives and Principles, Fischer, Urs; ISACA, Journal vol.
4, 2009
6. What Every IT Auditor Should Know About Auditing Information Security, Singleton,
7. IT Audit Basics: What Every IT Auditor Should Know About IT Risk Assessment,
Page 26 of 26