Upload
brian-campbell
View
57
Download
0
Embed Size (px)
Citation preview
Rockland Professional Services, LLC © 2016 All Rights Reserved
IT Risk AssessmentsDeveloping the IT Audit Plan
Rockland Professional Services, LLC © 2016 All Rights Reserved 2
2. Identify the IT Universe
Methodology
1. Understand the Business
3. Conduct the Risk Assessment
4. Prepare the Report
Introduction
IT Risk AssessmentsTable of Contents
Rockland Professional Services, LLC © 2016 All Rights Reserved 3
IT Risk AssessmentsIntroduction
Rockland Professional Services, LLC ("Rockland Pros" ) is a consulting firm that assists clients who face challenges with finance, business operations, and technology. Our core services include Internal Audit, Business & IT Advisory, Cyber Security, Data Privacy, and Regulatory Compliance.
Rockland Pros performs IT risk assessments through the use of its standard methodology, which aligns with standards and guidelines set forth by the Institute of Internal Auditors (IIA).
To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
~ Revised Standards, Effective 1 January 2017
Rockland Professional Services, LLC © 2016 All Rights Reserved 4
IT Risk AssessmentsMethodology
Our IT risk assessment methodology enables the internal audit function to understand the organization and the level of IT support received, define and understand the IT environment, identify the role of risk assessment in determining the IT universe, and formalize the IT audit plan.
Our systematic process is based on several industry standards and frameworks (e.g., COSO, COBIT, NIST, ISO, ITIL), and is divided into the four phases depicted below.
Understand the Business
• Understand the organization’s strategies and key business objectives.
• Understand how the organization structures its business operations.
• Understand how the organization structures the IT service support model.
• Obtain agreement on how the organization structures its business operations and IT service support model.
Identify the IT Universe
• Identify the applications used to support the critical business operations.
• Identify the infrastructure used to support the critical applications.
• Identify the current IT projects and initiatives.
• Obtain agreement on the scope of the IT Universe.
Conduct the Risk Assessment
• Assess the critical applications based on a standard set of risk factors.
• Assess the supporting infrastructure based on a standard set of risk factors.
• Assess the IT processes based on a standard set of risk factors.
• Assess the organization’s project management capabilities based on a standard set of risk factors.
• Obtain agreement on the results of the risk assessment (i.e., significance, likelihood).
Prepare the Report
• Summarize the critical data obtained through out the IT risk assessment.
• Prepare a risk heat map.• Draft an IT audit plan.• Obtain agreement on the
final report.
Rockland Professional Services, LLC © 2016 All Rights Reserved 5
IT Risk AssessmentsUnderstanding the Business
Understand the Business
Identify the IT Universe
Conduct the Risk Assessment
Prepare the Report
The first phase in conducting the IT risk assessment is to understand the business. This includes the strategies, objectives, and business models – which create unique business risks for each organization.
During this phase, Rockland Pros conducts interviews with key stakeholders within the business and IT functions in order to understand the overall structure of the company’s operations and its support models.
Rockland Pros works with management to identify the critical business processes and the IT processes implemented to support the organization’s strategies and objectives.
Global Technology Audit Guide: Developing the IT Audit Plan. Figure adapted and revised from: IT Control Objectives for Sarbanes- Oxley, 2nd Ed., used by permission of the IT Governance Institute (ITGI). ©2006 ITGI.
Rockland Professional Services, LLC © 2016 All Rights Reserved 6
IT Risk AssessmentsIdentify the IT Universe
The next phase of the IT audit risk assessment is to identify the IT universe. This includes the information systems employed to support the critical business processes, and the significant projects undertaken to achieve the strategies and objectives of the organization.
Rockland Pros identifies the applications, infrastructure and projects that make up the IT universe. Information gathering takes place through one or more of the following activities:
This inventory, which includes a mapping of the applications to the critical business processes, becomes the foundation for conducting the risk assessment.
ReviewDocumentation
Conduct Interviews
Facilitate Workshops
Submit Questionnaires
Identify the IT Universe
Understand the Business
Identify the IT Universe
Conduct the Risk Assessment
Prepare the Report
Rockland Professional Services, LLC © 2016 All Rights Reserved 7
IT Risk AssessmentsConduct the Risk Assessment
Understand the Business
Identify the IT Universe
Conduct the Risk Assessment
Prepare the Report
The third phase of the IT risk assessment is to conduct the risk assessment using a standardized approach, designed to measure the level of risk associated with the IT universe based on impact and likelihood.
Rockland Pros assesses the critical applications, infrastructure, IT processes, and projects using a standard set of risk criteria.
Impact and likelihood is measured using a high, medium and low scale – averaged across each of the risk criteria in order to calculate a weighted risk score and determine the inherent risk.
Rockland Professional Services, LLC © 2016 All Rights Reserved 8
IT Risk AssessmentsPrepare the Report
Understand the Business
Identify the IT Universe
Conduct the Risk Assessment
Prepare the Report
At the completion of the IT risk assessment, Rockland Pros prepares a report containing the following:
• An overview of the risk assessment, including the approach and methodology.
• The IT universe – inventory of the applications, infrastructure, IT processes and projects.
• Risk heat maps that compare likelihood and impact of the IT universe.
• Interviewee list of personnel who participated in the risk assessment.
• The risk criteria used to conduct the assessment.
Rockland Professional Services, LLC © 2016 All Rights Reserved 9
Contact InformationBrian T CampbellManaging Partner
Office: 845.418.4829Mobile: 917.623.5679E-mail: [email protected]