IT Risk Assessments

Rockland Professional Services, LLC © 2016 All Rights Reserved

IT Risk AssessmentsDeveloping the IT Audit Plan

Rockland Professional Services, LLC © 2016 All Rights Reserved 2

2. Identify the IT Universe

Methodology

1. Understand the Business

3. Conduct the Risk Assessment

4. Prepare the Report

Introduction

IT Risk AssessmentsTable of Contents


IT Risk AssessmentsIntroduction

Rockland Professional Services, LLC ("Rockland Pros" ) is a consulting firm that assists clients who face challenges with finance, business operations, and technology. Our core services include Internal Audit, Business & IT Advisory, Cyber Security, Data Privacy, and Regulatory Compliance.

Rockland Pros performs IT risk assessments through the use of its standard methodology, which aligns with standards and guidelines set forth by the Institute of Internal Auditors (IIA).

To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

~ Revised Standards, Effective 1 January 2017


IT Risk AssessmentsMethodology

Our IT risk assessment methodology enables the internal audit function to understand the organization and the level of IT support received, define and understand the IT environment, identify the role of risk assessment in determining the IT universe, and formalize the IT audit plan.

Our systematic process is based on several industry standards and frameworks (e.g., COSO, COBIT, NIST, ISO, ITIL), and is divided into the four phases depicted below.

Understand the Business

• Understand the organization’s strategies and key business objectives.

• Understand how the organization structures its business operations.

• Understand how the organization structures the IT service support model.

• Obtain agreement on how the organization structures its business operations and IT service support model.

Identify the IT Universe

• Identify the applications used to support the critical business operations.

• Identify the infrastructure used to support the critical applications.

• Identify the current IT projects and initiatives.

• Obtain agreement on the scope of the IT Universe.

Conduct the Risk Assessment

• Assess the critical applications based on a standard set of risk factors.

• Assess the supporting infrastructure based on a standard set of risk factors.

• Assess the IT processes based on a standard set of risk factors.

• Assess the organization’s project management capabilities based on a standard set of risk factors.

• Obtain agreement on the results of the risk assessment (i.e., significance, likelihood).

Prepare the Report

• Summarize the critical data obtained through out the IT risk assessment.

• Prepare a risk heat map.• Draft an IT audit plan.• Obtain agreement on the

final report.


IT Risk AssessmentsUnderstanding the Business




Prepare the Report

The first phase in conducting the IT risk assessment is to understand the business. This includes the strategies, objectives, and business models – which create unique business risks for each organization.

During this phase, Rockland Pros conducts interviews with key stakeholders within the business and IT functions in order to understand the overall structure of the company’s operations and its support models.

Rockland Pros works with management to identify the critical business processes and the IT processes implemented to support the organization’s strategies and objectives.

Global Technology Audit Guide: Developing the IT Audit Plan. Figure adapted and revised from: IT Control Objectives for Sarbanes- Oxley, 2nd Ed., used by permission of the IT Governance Institute (ITGI). ©2006 ITGI.


IT Risk AssessmentsIdentify the IT Universe

The next phase of the IT audit risk assessment is to identify the IT universe. This includes the information systems employed to support the critical business processes, and the significant projects undertaken to achieve the strategies and objectives of the organization.

Rockland Pros identifies the applications, infrastructure and projects that make up the IT universe. Information gathering takes place through one or more of the following activities:

This inventory, which includes a mapping of the applications to the critical business processes, becomes the foundation for conducting the risk assessment.

ReviewDocumentation

Conduct Interviews

Facilitate Workshops

Submit Questionnaires





Prepare the Report


IT Risk AssessmentsConduct the Risk Assessment




Prepare the Report

The third phase of the IT risk assessment is to conduct the risk assessment using a standardized approach, designed to measure the level of risk associated with the IT universe based on impact and likelihood.

Rockland Pros assesses the critical applications, infrastructure, IT processes, and projects using a standard set of risk criteria.

Impact and likelihood is measured using a high, medium and low scale – averaged across each of the risk criteria in order to calculate a weighted risk score and determine the inherent risk.


IT Risk AssessmentsPrepare the Report




Prepare the Report

At the completion of the IT risk assessment, Rockland Pros prepares a report containing the following:

• An overview of the risk assessment, including the approach and methodology.

• The IT universe – inventory of the applications, infrastructure, IT processes and projects.

• Risk heat maps that compare likelihood and impact of the IT universe.

• Interviewee list of personnel who participated in the risk assessment.

• The risk criteria used to conduct the assessment.


Contact InformationBrian T CampbellManaging Partner

Office: 845.418.4829Mobile: 917.623.5679E-mail: [email protected]