Risk-Based IT Audit

Risk-Based Audit Methodology

Apply to Organization’s IT Risk Management

Kun Tao (Quincy)

Cal Poly Pomona

Author Note

This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson.

March 2014

Page 1 of 26
 Risk-Based IT Audit

Table of Contents

Abstract .......................................................................................................................................... 3

Introduction .................................................................................................................................... 4

Methodology................................................................................................................................... 6

Risk-based auditing methodology: Risk assessment...................................................................... 6

IT Risk Management................................................................................................................... 7

IT Risk Control Framework........................................................................................................ 8

Identifying assets...................................................................................................................... 13

Determining criticality and confidentiality levels......................................................................14

Threat and vulnerability identification...................................................................................... 15

Risk calculation......................................................................................................................... 16

Audit universe........................................................................................................................... 17

Audit plan.................................................................................................................................. 18

Steps of a risk-based audit methodology.................................................................................. 19

Preparation phase.................................................................................................................. 19

Assessment phase.................................................................................................................. 19

Mitigation phase.................................................................................................................... 20

Reporting phase.................................................................................................................... 20

Follow-up phase.................................................................................................................... 20

Data analysis................................................................................................................................. 22

Conclusions................................................................................................................................... 25

References .................................................................................................................................... 26

Page 2 of 26
 Risk-Based IT Audit

Abstract

Risk-based auditing is a broad topic, one that can be applied to many areas such as finance and

information technology (IT). The paper discussed how implementing the IT risk management

framework can enhance the efficiency of IT risk management and risk reporting efforts. The

paper provided a quick overview of the IT risk management and control framework, ways to

identify business risk, as well as efficient and effective IT risk management practices IT auditors

need to consider. This paper also focuses on IT risk assessment from an enterprise risk-based

auditing perspective. Additionally, it offers a simple risk-based audit methodology for

organizations to develop an internal IT audit program, or those looking for new ways to assess

security risks.

Keywords: risk-based auditing; IT risk management; ERM; COBIT; risk assessment

Page 3 of 26
 Risk-Based IT Audit

Introduction

Today’s business world is constantly changing—it’s unpredictable, volatile, and seems

to become more complex every day. By its very nature, it is fraught with risk. The increased

demand for transparency around risk has not always been met, however, as evidenced by the

financial market crisis, where the poor quality of underlying assets significantly impacted the

value of investments, identifying, managing, and exploiting risk across an organization has

become increasingly important to the success and longevity of any business.

Risk assessment provides a mechanism for identifying which risks represent

opportunities and which represent potential pitfalls. Risk assessment gives organizations a clear

view of variables to which they may be exposed, whether internal or external, retrospective or

forward-looking. A good risk assessment is anchored in the organization’s defined risk appetite

and tolerance, and it provides a basis for determining risk responses. A robust risk assessment

process, applied consistently throughout the organization, empowers management to better

identify, evaluate, and exploit the right risks for business, all while maintaining the appropriate

controls to ensure effective and efficient operations and regulatory compliance. (A practical

guide to risk assessment, PwC, 2008)

As organizations become more dependent on integrated technologies and automated

systems, management is concerned with the rising costs associated with performing audits of the

internal information system security. As IT audits are such a critical component of an

organization’s functioning, organizational management often pushes forth to ensure the proper

and efficient operation of the audit department. However, that’s brought forth the highly

lucrative cost benefits of outsourcing the information system audit function. There are also

instances where an information systems audit is not the core competency of the internal audit

Page 4 of 26
 Risk-Based IT Audit

function of an organization. Nevertheless, IT risks need to be considered because they can

change the company's control environment. Also IT is critical to ensure operational assets are

used effectively and maintain the integrity and reliability of the organization's financial reporting

process. (Risk IT: Based on COBIT Objectives and Principles, Fischer, 2009). Implementing the

Risk-Based Audit Methodology should not only enhance the efficiency and effectiveness of IT

risk management, business operations, and risk reporting, but also highlights the unique role that

IT plays when identifying events or incidents that may affect the organization's ability to achieve

its objectives.

To identify IT risks using the Risk-Based Audit Methodology, auditors can help

companies conduct an enterprise-wide risk assessment. (What Every IT Auditor Should Know

About IT Risk Assessment, Tommie W. Singleton, 2009) This also will help to identify any risks

that are inconsistent with or in excess of the organizations risk appetite.

Page 5 of 26
 Risk-Based IT Audit

Methodology

Audits are an essential component to an organization's security strategy. They enable

staff to meet regulatory requirements, validate that existing controls protect business functions,

and determine when new controls are required. Unlike an audit in which the auditor uses a

checklist and pen to determine compliance, a risk-based audit requires having an understanding

of the organization's business functions and objectives -- to really dig deep within systems and

networks.

"In a risk-based audit approach, information systems auditors are not just relying on risk;

they also are relying on internal and operational controls as well as knowledge of the company or

the business" (ISACA). Thus, a risk-based audit provides a more thorough assessment of

business risk, and enables managers to make informed decisions based on their risk appetites.

Aligning enterprise IT decisions and practices with the level of acceptable risk in an organization

is the driver for beginning a risk-based audit, and it is the risk assessment process that helps

determine that risk threshold.

Risk-based auditing methodology: Risk assessment

Risk assessment is a systematic process for identifying and evaluating events (e.g.,

possible risks and opportunities) that could affect the achievement of objectives, positively or

negatively. Such events can be identified in the external environment (e.g., economic trends,

regulatory landscape, and competition) and within an organization’s internal environment (e.g.,

people, process, and infrastructure). When these events intersect with an organization’s

objectives—or can be predicted to do so—they become risks. Risk is therefore defined as “the

possibility that an event will occur and adversely affect the achievement of objectives.” (COSO,

Enterprise Risk Management—Integrated Framework, www.coso.org)

Page 6 of 26
 Risk-Based IT Audit

Risk appetite or acceptable risk is the amount of risk exposure that a business is willing to

accept. The organization must set a threshold for identifying when and where to implement

controls to mitigate risk. This process is essential to determining what controls are good to have

vs. those necessary to protect business functions. Several risk management methodologies, such

as those by the International Organization for Standardization (ISO) and the National Institute of

Standards and Technology (NIST), provide management with good estimates for assessing

acceptable risk. In some manner, those methodologies commonly include identifying assets,

threats, vulnerabilities and controls.

Risk response strategies

http://www.pwc.com/en_us/us/issues/enterprise-risk management/assets/risk_assessment_guide.pdf

IT Risk Management

IT risk is a component of the enterprise’s overall risk universe. Information technologies and

Page 7 of 26
 Risk-Based IT Audit

systems are a major part of the enterprise infrastructure. Integration and alignment of IT risk and

enterprise or business risk is a necessity. IT risk is business risk—specifically, the business risk associated

with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It

consists of IT-related events and conditions that could potentially impact the business.

The primary view of IT is that of an operations or service delivery organization. In this capacity,

IT risk addresses the ability to deliver the IT services that enable the enterprise to perform day-to-day

operational processes. However, IT risk also addresses system development, acquisition and maintenance

processes. This relates to ensuring the selection, development and maintenance of business processes that

operate the revenue generation and fulfillment of the organization, and address business needs in a cost-

effective manner. Finally, IT risk addresses the ability for IT to provide value and/or benefit to the

enterprise through automation. Risk assessment can therefore be conducted at various levels of the

organization. (The Risk IT Framework Excerpt, ISACA, 2010)

The objectives and events under consideration determine the scope of the risk assessment

to be undertaken. Examples of frequently performed IT risk assessments include:

- Compliance risk assessment. Evaluation of risk factors relative to the organization’s

compliance obligations, considering laws and regulations, policies and procedures, ethics

and business conduct standards, and contracts, as well as strategic voluntary standards

and best practices to which the organization has committed. This type of assessment is

typically performed by the compliance function with input from business areas.

- Security risk assessment. Evaluation of potential breaches in an organization’s physical

assets and information protection and security. This considers infrastructure, applications,

operations, and people, and is typically performed by an organization’s information

security function.

Page 8 of 26
 Risk-Based IT Audit

- Information technology risk assessment. Evaluation of potential for technology system

failures and the organization’s return on information technology investments. This

assessment would consider such factors as processing capacity, access control, data

protection, and cyber-crime. This is typically performed by an organization’s information

technology risk and governance specialists.

- Project risk assessment. Evaluation of the risk factors associated with the delivery or

implementation of a project, considering stakeholders, dependencies, timelines, cost, and

other key considerations. This is typically performed by project management teams.

(A practical guide to risk assessment, PwC, 2008)

IT Risk Control Framework

Information Systems Audit and Control Association (ISACA)’s Control Objectives for

Information and Related Technology (COBIT) framework using generally applicable and

accepted good practices. COBIT is a framework for the governance of IT and supporting tool set

that allows managers to bridge the gap among control requirements, technical issues and

business risk. COBIT enables clear policy development and good practice for IT control

throughout enterprises. The COBIT control objective should be identified for each

audit/assurance step in the section. COBIT provides in-depth control objectives and suggested

control practices at each level.

As described in the following Executive Summary section, IT risk management supports

and drives business processes and includes the primary business functions with the IT

organization.

Page 9 of 26
 Risk-Based IT Audit

The primary COBIT processes associated with IT risk management are PO9 Assess and

manage IT risks, and ME4.5 Provide IT governance – Risk management.( IT Risk Management

Audit/Assurance Program, ISACA, 2012)

Figure 1 — COBIT Control Objective

PO9 Assess and Manage IT Risks
PO9.1 IT Risk Management Framework—Establish an IT risk management framework
that is aligned to the organization’s (enterprise’s) risk management framework.
PO9.2 Establishment of Risk Context—Establish the context in which the risk assessment
framework is applied to ensure appropriate outcomes.
PO9.3 Event Identification—Identify events (an important realistic threat that exploits a
significant applicable vulnerability) with a potential negative impact on the goals or
operations of the enterprise.
PO9.4 Risk Assessment—Assess on a recurrent basis the likelihood and impact of all
identified risks, using qualitative and quantitative methods. The likelihood and impact
associated with inherent and residual risk should be determined individually, by
category and on a portfolio basis.
PO 9.5 Risk Response—Develop and maintain a risk response process designed to ensure
that cost-effective controls mitigate exposure to risks on a continuing basis.
PO9.6 Maintenance and Monitoring of a Risk Action Plan—Priorities and plan the control
activities at all levels to implement the risk responses identified as necessary,
including identification of costs, benefits and responsibility for execution. Obtain
approval for recommended actions and acceptance of any residual risks, and ensure
that committed actions are owned by the affected process owner(s). Monitor execution
of the plans, and report on any deviations to senior management.
ME4 Provide IT Governance
ME4.5 Risk Management—Work with the board to define the enterprise’s appetite for IT
risk, and obtain reasonable assurance that IT risk management practices are
appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
Embed risk management responsibilities into the organization, ensuring that the

Page 10 of 26
 Risk-Based IT Audit

business and IT regularly assess and report IT-related risks and their impact and that
the enterprise’s IT risk position is transparent to all stakeholders.
(Refer to COBIT 4.1 for the control objectives in their entirety. Refer to ISACA’s COBIT

Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2007)

Many organizations have embraced several frameworks at an enterprise level, including

the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal

Control Framework. The importance of the control framework has been enhanced due to

regulatory requirements by the US Securities and Exchange Commission (SEC) as directed by

the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries. Enterprises seek to

integrate control framework elements used by the general audit/assurance team into the IT audit

and assurance framework. Since COSO is widely used, it has been selected for inclusion in IT

audit program. The original COSO internal control framework contained five components. In

2004, COSO was revised as the Enterprise Risk Management (ERM) Integrated Framework and

extended to eight components. A robust risk assessment process forms the foundation for an

effective enterprise risk management program. It constitutes a key component of the Enterprise

Risk Management—Integrated Framework and related Application Guidance published by the

Committee of Sponsoring Organizations in 2004 (COSO ERM). It is important to recognize the

interrelationships between risk assessment and the other components of enterprise risk

management such as control activities and monitoring and understand the principles and steps

that help ensure the relevance and effectiveness of a risk assessment.

Enterprise Risk Management (ERM) works with organizations to provide complete or

partial information systems department functions, auditing for compliance with internal systems,

technical audit training, and special assistance on a project-by-project basis. ERM’s team of

internal information systems auditors helps organizations to focus on the critical information

Page 11 of 26
 Risk-Based IT Audit

systems risks that impact the bottom line of their operations. Organizations that vigorously

interpret the results of their risk assessment process set a foundation for establishing an effective

ERM program and are better positioned to capitalize on opportunities as they arise. ERM

framework can help organizations improve their IT risk management efforts by:

- Aligning the company's risk appetite and risk strategy.

- Enhancing risk response decisions.

- Reducing operational surprises and losses.

- Identifying and managing multiple and cross-enterprise risks.

The primary difference between the two frameworks is the additional focus on ERM and

integration into the business decision model. ERM is in the process of being adopted by large

enterprises. The two frameworks are compared in figure 2.

Figure 2 —Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework
Control Environment: The control
environment sets the tone of an organization,
influencing the control consciousness of its
people. It is the foundation for all other
components of internal control, providing
discipline and structure. Control environment
factors include the integrity, ethical values, the environment in which they operate.
management’s operating style, delegation of
authority systems, as well as the processes for
managing and developing people in the
organization.
ERM Integrated Framework
Internal Environment: The internal
environment encompasses the tone of an
organization, and sets the basis for how risk is
viewed and addressed by an entity’s people,
including risk management philosophy and
risk appetite, integrity and ethical values, and
Objective Setting: Objectives must exist
before management can identify potential
events affecting their achievement. Enterprise
risk management ensures that management has
in place a process to set objectives and that the
chosen objectives support and align with the
entity’s mission and are consistent with its risk
appetite.

Page 12 of 26
 Risk-Based IT Audit

Figure 2 —Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Event Identification: Internal and external
events affecting achievement of an entity’s
objectives must be identified, distinguishing
between risks and opportunities. Opportunities
are channeled back to management’s strategy
or objective-setting processes.
Risk Assessment: Every entity faces a variety Risk Assessment: Risks are analyzed,
of risks from external and internal sources that considering the likelihood and impact, as a
must be assessed. A precondition to risk basis for determining how they could be
assessment is establishment of objectives, and, managed. Risk areas are assessed on an
thus, risk assessment is the identification and inherent and residual basis.
analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a
prerequisite for determining how the risks
should be managed.
Risk Response: Management selects risk
responses—avoiding, accepting, reducing or
sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and
risk appetite.
Control Activities: Control activities are the Control Activities: Policies and procedures are
policies and procedures that help ensure established and implemented to help ensure the
management directives are carried out. They risk responses are effectively carried out.
help ensure that necessary actions are taken to
address risks to achievement of the entity's
objectives. Control activities occur throughout
the organization, at all levels and in all
functions. They include a range of activities as
diverse as approvals, authorizations,
verifications, reconciliations, reviews of
operating performance, security of assets and
segregation of duties.
Information and Communication: Information Information and Communication: Relevant
systems play a key role in internal control information is identified, captured and
systems as they produce reports, including communicated in a form and time frame that
operational, financial and compliance-related enable people to carry out their
information that make it possible to run and responsibilities. Effective communication also
control the business. In a broader sense, occurs in a broader sense, flowing down,
effective communication must ensure across and up the entity.
information flows down, across and up the
organization. Effective communication should
also be ensured with external parties, such as
customers, suppliers, regulators and
shareholders.

Page 13 of 26
 Risk-Based IT Audit

Figure 2 —Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Monitoring: Internal control systems need to Monitoring: The entirety of enterprise risk
be monitored—a process that assesses the management is monitored and modifications
quality of the system’s performance over time. are made as necessary. Monitoring is
This is accomplished through ongoing accomplished through ongoing management
monitoring activities or separate evaluations. activities, separate evaluations or both.
Internal control deficiencies detected through
these monitoring activities should be reported
upstream and corrective actions should be
taken to ensure continuous improvement of the
system.
(Information for figure 2 was obtained from the COSO web site, www.coso.org)

The original COSO internal control framework addresses the needs of the IT audit and

assurance professional: control environment, risk assessment, control activities, information and

communication, and monitoring. As such, ISACA has elected to utilize the five-component

model for these IT audit programs.

Identifying assets

Organizations cannot protect what they are not aware of, so they must identify all assets,

with a sharp focus on those most critical. Once a full list of assets is obtained, the organization

must categorize them using some taxonomy, or categorization criteria. In a basic sense, assets

can be categorized and assessed as below.

Type: information, hardware, software, services, etc.

Value: value to business and competition
Complexity: abnormal overhead, compatibility, or operational requirements
Age: period of operation, breakdown history and projected lifespan

Determining criticality and confidentiality levels

Once assets are categorized, the next step is to assign criticality and confidentiality levels.

Page 14 of 26
 Risk-Based IT Audit

Criticality and confidentiality levels serve to dictate the specific controls for groups of assets,

based on confidentiality, integrity and availability requirements. The below criteria offers an

easy approach to assigning criticality and confidentiality levels to assets.

Criticality levels based on integrity and availability requirements

Criticality
level of protection Definition Examples
Level

vital to the sustainment of a stock trading server for

1 High
business operations a stock trading company

important to supporting business a mail server for a stock

2 Medium
operations trading company

necessary for day to day a print server for a stock

3 Basic
business operations trading company

Classification levels based on confidentiality requirements

Criticality Level Definition Examples

unauthorized disclosure could have grave

Confidential trade secrets, source code, etc
consequences for the company

unauthorized disclosure could affect personnel data, financial

Private
image of company information, etc

Public no negative impact towards company new services, etc

Threat and vulnerability identification

After identifying, classifying and assigning criticality levels to assets, the next step is to

Page 15 of 26
 Risk-Based IT Audit

identify their threats and vulnerabilities. Threats occur because of vulnerabilities. Vulnerabilities

are weaknesses in people, processes and technology, and are exploited by threats. For instance,

malicious software or malware is a threat that can exploit the vulnerability of having non-patched

systems. Another potential threat is a black out, which can exploit the lack of having generators.

Threats are categorized by business, technical, physical and administrative. It is important for

organizations to not only be aware of their threats and vulnerabilities, but also understand them

to determine the level of risk they pose and required countermeasures.

Risk calculation

Calculating risk is essential to determining the best use of resources. A simple formula for

calculating risk is, Risk = Asset Value x Threat x Vulnerability. Asset value is more than its

initial cost, the value of an asset increases as resources are applied, and as competitors value it.

Resources are applied towards assets in development, testing, operations and maintenance. In

addition, the information within an asset is of value. For example, a Web server that accepts

customer information, if the database that contains customer information is compromised, its loss

may cause legal penalties and reputation damage. In addition, loss of trade secrets can cause a

decrease in market share and in competitive advantage. Therefore, asset value must take into

account all factors that affect its value. (Availability Risk Assessment — A Quantitative

Approach, Hariharan, 2010)

Calculating a threat value requires looking at its estimated projected loss (PL) and annual

rate of occurrence (ARO). PL is the percentage exposed by the asset if the threat occurs. That is,

if malware compromises the database that holds customer information and 50% data loss is

anticipated, then PL is 50%. We then look at the threat's ARO by determining how often a threat

Page 16 of 26
 Risk-Based IT Audit

is projected to occur within a single year. In this case, the projection may be an annual rate of

occurrence of once every two years, or 0.50. This would make our threat calculation 0.25 (PL x

ARO). (Hariharan, 2010)

The last calculation before determining risk is deficiency level (DL). DL is the amount of

protection deficient given controls already in place. That is, if existing antimalware technology

in place to protect the company's database is 80% effective, then there is a 20% deficiency level.

Using this figure, along with asset value and threat calculations, we can calculate risk. In this

example, let's use $1,000,000 as the value of the database. In such as case, risk = $1,000,000 x

0.25 x 20% = $50,000. Under this scenario, we can justify an investment of up to $50,000 to

protect the critical database.

The risk assessment process enables audit teams to prioritize engagements based on risk,

while remaining focused on critical assets that significantly affect business operations. This risk

assessment process is coupled with ranking risks in the audit universe. Remember, these

exercises require some estimation, since each attack or threat vector is different.

Audit universe

The audit universe includes all potential audit entities and processes that may be assessed

by the audit team. Essentially, the audit universe includes the people, processes and technology

that drive the organization's business objectives. Examples of potential areas within the audit

universe include infrastructure, applications, processes, architectures, regulatory compliance,

frameworks, policies and boundary protection. Along with determining risk in monetary terms,

another way is by ranking risk using a risk table.

Page 17 of 26
 Risk-Based IT Audit

Risk ranking is the process of using judgment to score audit entities. The risk ranking

table is calculated using a concern rating scale and the value assigned to each risk area. For

instance, the table below regards Web applications as a high-risk area. The table lists Web

application complexity as a high concern, which has a concern rating of three. The value

assigned to complexity is 1.75; therefore, 1.75 x 3 = 5.25, the risk value for Web applications

complexity.

Given the ranking criteria, the top 20% of audit entities is considered high risk and must

be audited in that year. According to this table, all Web applications and Web servers must be

audited this year. A more comprehensive risk ranking table could rank specific Web

applications, or even each Payment Card Industry Data Security Standard (PCI DSS)

requirement as its own auditable entity. The level of detail in listing entities is dependent upon

the size of the audit universe and the resources available to perform an in-depth risk ranking

assessment. The annual risk assessment and ranking process determines the audit plan.

Audit plan

The audit plan outlines the annual audit schedule, scope, objectives and resources

required to start audit engagements. The audit plan is created using risk assessment results and

risk ranking. The risk assessment truly drives this process as it helps the audit team identify

deficiency levels, unaddressed weaknesses, and areas of concern. In addition to the risk ranking

criteria shown in the table above, other potential criteria are recent technology refresh, recent

mergers, recent acquisitions, new regulations, etc. The audit plan defines roles and

responsibilities, the audit team's methodology, logistics and performance measures. Essentially,

Page 18 of 26
 Risk-Based IT Audit

the audit plan serves as the road map with management's approval for the audit team to start

conducting audits.

Steps of a risk-based audit methodology

After the annual process of identifying and ranking risk, and developing the audit plan,

the audit team can begin auditing. The auditing process involves a phased, five-step risk-based

process that includes preparation, assessment, and mitigation, reporting and follow-up. Each

phase is explained below.

Preparation phase Assessment phase Mitigation phase Reporting phase Follow-up phase

1. Preparation phase

The preparation phase involves individual engagement planning before each audit in the

audit plan. During this phase, the audit team reviews previous working papers, risk assessment

findings, and defines the individual engagement's scope and objectives. The team will listen to

the concerns of management and their operators and then compare that information with their

assessment results. The audit team's focus is to understand the business objectives and functions

of the company to make the most informed assessment.

2. Assessment phase

The assessment phase involves analyzing systems and process, identifying vulnerabilities

and documenting concerns. During this phase, the auditor may use a checklist, but will rely

heavily upon experience and judgment to interpret results and identify less-noticeable anomalies.

During this phase, it's important to collaborate with operators to validate the significance of risk.

Certain "textbook" findings may seem significant at first, but may be in place for good reason

Page 19 of 26
 Risk-Based IT Audit

such as unique operational requirements for certain applications. Therefore, it is important to

validate certain results before causing too much stir by listing it as significant on the final report.

Depending on the system, network, or process being audited, some baseline controls exist that

they can be assessed against. For instance, some of these controls include inventorying

authorized and unauthorized devices, boundary defense, application security, malware defense,

data loss prevention, account control, wireless control and data recovery capabilities. In addition

to auditing against baseline controls, it is important to ensure controls are in place that enables

business functions.

3. Mitigation phase

The mitigation phase involves developing the proper controls to mitigate risk. This

process involves socializing requirements with the company and developing mitigation plans.

While some controls may take weeks or months to implement, others can be rectified on the spot.

This phase involves documenting potential controls and the actions taken by operators to

mitigate risks on the spot.

4. Reporting phase

In the reporting phase, the audit team provides a full report to management outlining its

findings. The group will share mitigation plans for ongoing controls, and outline the most

significant findings. This phase involves developing an executive summary with key information

for managers to make security decisions. The executive summary is a high-level overview that

explains "in a nutshell" the security posture of the organization and the next steps required to

strengthen their controls.

5. Follow-up phase

In the follow-up phase, the audit team corresponds and works with the company to ensure

Page 20 of 26
 Risk-Based IT Audit

controls are implemented. In a resource-constrained environment, the company may lack the

skill sets to implement certain control mechanisms. Therefore, the auditors may provide insight

into implementing various controls, and will continue to follow up to ensure their

implementation. It is important for the audit team to have a process for tracking overdue or

upcoming mitigation or correction implementations. The team should create a tracking system

that contains an easy-to-follow dashboard that provides the status of implementations and their

due dates.

Page 21 of 26
 Risk-Based IT Audit

Data analysis

Hypothetical case study --- Implementing a risk-based audit methodology

Based on above introduction and demonstration, we understand what risk-based IT

auditing in risk assessment is all about, let's hypothetic a case scenario that brings it all together.

In this case, we walk through at a high level. This company accepts credit cards within its 100

stores in US, and through e-commerce using their online storefront.

Company identified all assets and categorized them by type, value and complexity. It

used the risk ranking table below to rank its risk using the listed criteria.

Existing Prior
Management Staff/System
Potential Controls & Complexity Auditing
Concerns Changes Risk
Audit Entity Compliance (1.75) Findings
(1.5) (1.0)
(2.0) (1.5)

Contingency Low Moderate Low Low Low

9.5
Plan (2.0) (3.5) (1.5) (1.5) (1.0)

Moderate High High High High

Web Servers 21.25
(4.0) (5.25) (4.5) (4.5) (3.0)
Web High High High High High
23.25
Applications (6.0) (5.25) (4.5) (4.5) (3.0)
Database Moderate Low Low Low Low
9.75
System (4.0) (2.0) (1.5) (1.5) (1.0)
PCI DSS Moderate Moderate Low Low Low
11.5
Compliance (4.0) (3.5) (1.5) (1.5) (1.0)
ISO 27001 Moderate Moderate Moderate Low Low
13
Compliance (4.0) (3.5) (3.0) (1.5) (1.0)
Company
Low Low Low Low Low
Policy 9.25
(2.0) (2.0) (1.5) (1.5) (1.0)
Compliance
High High Low Low Moderate
Firewalls 15.25
(6.0) (5.25) (1.5) (1.5) (2.0)
Moderate Moderate Low Low Low
Routers 11.5
(4.0) (3.5) (1.5) (1.5) (1.0)
Concern Ratings: Low concern (1); Moderate concern (2); High concern (3)
Risk Ranking: Top 25%=High Risk (audit 100%of entities); Next 50%= Moderate Risk (audit
50%of entities); Bottom 10%= Low Risk (audit 10%of entities)

Page 22 of 26
 Risk-Based IT Audit

After ranking a few audit entities within its audit universe, Company found that its

primary concerns are corporate firewalls and PCI DSS compliance. Specifically, it is concerned

with the "Build and maintain a secure environment" PCI DSS requirement because it recently

lost its primary firewall administrator. The company classified its firewalls as confidential

(requiring strict controls to prevent unauthorized access), with criticality level 1 (requiring a high

level of protection for vital sustainment of business operations). Within its audit plan, the audit

team decides to focus a lot of effort toward its corporate firewalls and the above PCI DSS

requirement.

During the preparation phase, the auditors find that the former firewall administrator

rarely documented firewall changes, had not updated the network topology in several months,

and left junior staff untrained. In order to protect e-commerce data and prevent regulatory

penalties, the audit team agrees to perform a full scrub of each firewall's rule set. It intends to

assess ingress and egress filtering, including the documentation of each rule, and all blocked and

allowed ports, protocols and services.

During the assessment phase, the audit team finds that the firewalls used within the

enterprise are at their end-of-life and close to end-of-support by the vendor. This was just one of

many findings, but the most significant that required immediate attention. The audit team worked

with management to determine the value of the firewall assets and cost required to update them.

In the mitigation phase, the group determines that the risk of not replacing the corporate firewalls

is too costly.

Company valued its enterprise firewalls at $1,500,000. However, the "end-of-support"

circumstances increase the threat and vulnerability calculations to 0.4 and 0.7, respectively,

making the risk level $420,000. This was due to an increase in the threat (projected loss and

Page 23 of 26
 Risk-Based IT Audit

annual rate of occurrence) once vendor support is gone, and an increase in deficiency once

vendor support is lost. The Company sets a $400,000 budget to cover maintenance contracts,

training, testing and deployment of the new firewall product. The group then decides to invest an

additional $20,000 to hire an external company to test and validate the effectiveness of its

controls.

In the reporting phase, the audit team recaps the corporate firewall and PCI DSS concerns

with the management team. They cover the next steps required to begin the firewall upgrades and

follow-up milestone dates. To provide positive points, they report some of the shortfalls in the

existing firewall architecture that the administrators were able to correct on the spot. One area in

particular was the "default deny" rule on the firewall. In addition, it covered other areas found

during the audit, including use of an authentication server on infrastructure devices and

contingency plan changes.

Page 24 of 26
 Risk-Based IT Audit

Conclusions

This paper highlights the core areas of a risk-based audit applied for IT risk management

and assessment. From the risk assessment and risk ranking process, to assessing and reporting

findings, it is important to take a risk-based approach focused on enabling business objectives. It

is important for the audit team to be mindful of the amount of estimation used in the IT risk

ranking process. IT Auditors must be realistic in their analysis of threats and risks in IT

environment, and use measurable numbers when possible. Using this approach on a regular basis

enables organizations to achieve enterprise IT security. Most importantly, this effective IT risk

assessment yields forward-looking insight, not only allowing organizations to avoid IT risks, but

providing greater and more meaningful clarity around the IT risks they do face. Armed with this

insight and perspective, organizations are much better positioned to take the right IT risks, and

can better manage them when they do. In the long run, organizations can continuously reposition

themselves to capitalize on longer-term opportunities are more likely to surpass their business

objectives, and this capability will lead to lasting success in today’s ever changing business

environment.

Page 25 of 26
 Risk-Based IT Audit

References

1. Committee of Sponsoring Organizations, Enterprise Risk Management—Integrated

Framework, www.coso.org

2. ISACA’s COBIT Control Practices: Guidance to Achieve Control Objectives for

Successful IT Governance, 2nd Edition, published in 2007

3. IT Risk Management Audit/Assurance Program, ISACA, 2012

4. Availability Risk Assessment — A Quantitative Approach, Hariharan, ISACA Journal

vol 1, 2010

5. Risk IT: Based on COBIT Objectives and Principles, Fischer, Urs; ISACA, Journal vol.

4, 2009

6. What Every IT Auditor Should Know About Auditing Information Security, Singleton,

Tommie W.; ISACA, Journal vol. 2, 2007

7. IT Audit Basics: What Every IT Auditor Should Know About IT Risk Assessment,

Tommie W. Singleton, ISACA Journal vol. 6, 2009

8. IT Assurance Guide: Using COBIT for good-practice control, The IT Governance

Institute (ITGITM) , www.itgi.org

9. A practical guide to risk assessment— How principles-based risk assessment enables

organizations to take the right risks, PricewaterhouseCoopers, 2008

Page 26 of 26