risk management of is function
TRANSCRIPT
-
8/11/2019 Risk Management of IS Function
1/13
Risk Management of theIS Function
-
8/11/2019 Risk Management of IS Function
2/13
Learning Objectives
Familiarize the concept of computer risks and
exposures
Understanding the major types of risks faced by
the information system (IS) function, including thesources of such risk as well as the causes
Understand the emphasis of managements role
in adopting a risk position
examines risk and its nature and the corporate
environment and looks at the internal audit need
for the appropriate risk analysis to enable risk-
based auditing as an integrated approach.
-
8/11/2019 Risk Management of IS Function
3/13
Leadership involves making choices in the
face of uncertainty. Risk is the possibility that
one or more individuals or organizations will
experience adverse consequences from thosechoices. Risk is the mirror image of
opportunity.
-
8/11/2019 Risk Management of IS Function
4/13
Nature of Risk
Ultimately, all entities encounter risk
regardless of their size, corporate structure,
nature of business, or type of industry
These risks can affect the company in: The ability to successfully compete,
the ability to maintain financial strength
the corporations positive public image ultimately the organizations ability to survive
-
8/11/2019 Risk Management of IS Function
5/13
Yes or No?
Can risk be eliminated?
Answer: NO
If it cant be eliminated, what can we do?
Risk cannot be eliminated, only managed.
-
8/11/2019 Risk Management of IS Function
6/13
Risk identification
Risk identification may be done as part of the
planning process either on a zero base or as
incremental to the last review
Risk arise from internal or external factors andthe factors themselves may be interrelated.
-
8/11/2019 Risk Management of IS Function
7/13
Responsibilities for boards
The Board has responsibility for determining the strategic direction of theorganization and for creating the environment and the structures for risk
management to operate effectively. This may be through an executive
group, a non-executive committee, an audit committee or such other
function that suits the organizations way of operating and is capable of
acting as a sponsor for risk management. The Board should, as a minimum, consider, in evaluating its system of internal
control:
The nature and extent of downside risks acceptable for the company to bear
within its particular business
The likelihood of such risks becoming a reality How unacceptable risks should be managed
The companys ability to minimize the probability and impact on the business
The costs and benefits of the risk and control activity undertaken
The effectiveness of the risk management process
The risk implications of board decisions
-
8/11/2019 Risk Management of IS Function
8/13
Types of risks
Inherent risk
the likelihood of a significant loss occurring beforetaking into account your risk reducing factors
Control riskmeasures the likelihood that the control
processes established to manage inherent riskare proved to be ineffective
Detection risk errors not detected or prevented by the control
structure will also not be detected by the auditor
-
8/11/2019 Risk Management of IS Function
9/13
Question
What will you do in order to evaluate whether
the controls designed and implemented by
management have adequately reduced the
inherent risk to within tolerance levels?As an auditor must identify those controls relied
upon by management to reduce the likelihood or
impact of the risk.
Once these controls have been identified, an
audit program to test the known effectiveness of
these controls may be designed and implemented
-
8/11/2019 Risk Management of IS Function
10/13
-
8/11/2019 Risk Management of IS Function
11/13
-
8/11/2019 Risk Management of IS Function
12/13
-
8/11/2019 Risk Management of IS Function
13/13