Creating and Executing a Robust IT Risk Assessment

Your Recent History

Select Country

Language

English

Careers | About Us | Contact Us

\|	Solutions Business Operations Improvement Finance & Accounting Excellence IT Consulting Internal Audit & Financial Controls Litigation, Restructuring & Investigative Services Risk & Compliance Transaction Services	\|	Industries Consumer Products & Services Energy Financial Services Government Healthcare & Life Sciences Industrial Products Private Equity Technology, Media & Communication	\|	Insights Browse by Content Case Studies Current Challenges Events Featured Articles Flash Reports Newsletters Podcasts Points of View Resource Guides Survey Guides Live Surveys & Benchmarks Webinars White Papers Browse by Role Board Member Chief Audit Executives / Audit Professional Chief Financial Officer / Finance Professional Chief Information Officer / Technology Professional Chief Risk Officer / Risk Professional Legal Professional Browse by Industry Consumer Products & Services Energy Financial Services Government Healthcare & Life Sciences Industrial Products Technology, Media & Communication KnowledgeLeader Blog	\|
\| GRC Software \| KnowledgeLeader \|

Home >
United States >
Insights >
Browse by Content >
Featured Articles >
Creating and Executing a Robust IT Risk Assessment

Insights

Creating and Executing a Robust IT Risk Assessment

Tom Andreesen, Protiviti Managing Director
Tom Andreesen is a Managing Director with Protiviti in the Kansas City office. He can be contacted at Thomas.Andreesen@protiviti.com.

Source: Protiviti's KnowledgeLeader

The head of a booming agricultural operation in the American heartland uses it all the time to get the job done. The director of a manufacturing plant on the East Coast and a hospital administrator in the Pacific Northwest use it as well. Technology – particularly information technology – is heavily relied upon, but often taken for granted, and has become an indispensable driver for everyday business.

Even with the most innovative technology in place, things can go wrong. But how many C-level executives know the potential technology risks that their organizations face?

To get an understanding about such risk, companies should take a step back, review their business processes and correlate them with the demands of the IT environment, which includes infrastructure such as servers, network devices and the applications that support them. Organizations also need to know how they would be affected if certain strategic projects did not go well. The failure rate and cost of these projects continue to be a significant risk for companies today.

Legal Requirements
A spate of compliance regulations with significant implications for IT departments in various industries creates a unique chance to get a handle on potential technological risks in their enterprises. The Sarbanes-Oxley Act has focused the lens from a financial reporting risk perspective, making sure financials are accurately reported. As we all know, financial risks are heavily tied to technology in today’s world.

Various state privacy regulations and reporting requirements as well as international (European Union) directives have come into play on the treatment of confidential data and how it should be protected. In addition, there are industry requirements such as the Gramm-Leach-Bliley Act, which deals with handling customer data, and the PCI (Payment Card Industry) standard pertaining to credit card transactions and associated records.

Most recently, part of the U.S. government’s 2009 economic stimulus package included the HITECH requirement. This requisite further refines, and in many cases raises the bar, on the stringency with which personal healthcare information is treated.

While many companies do not have Enterprise Risk Management (ERM) programs formally in place, they can always do an independent assessment of IT risk. Because such risks are not standalone in nature – unless their likely impact to the business is well understood – the business operation is unnecessarily exposed. Minimizing such vulnerability calls for taking a robust approach to identifying and managing IT risks.

Most companies look at IT risk as part of their overall annual risk assessment. However, they should be putting more focus on updating the risk assessment results rather than putting the results on the shelf. The audit plan or risk mitigation plan should be executed at least every quarter and would include keeping their finger on the pulse of new external and internal threats as well as emerging risk trends. Businesses are far from stagnant and their risk profile keeps changing and impacting the IT risk environment. IT should also utilize available quantitative information, such as help desk tickets, to understand problems being experienced by the business; then use such information to determine if new risks have emerged.

The risk profile status should be reported to the audit committee so it is up to speed on how risk is being managed and, in many cases, mitigated through audit procedures. Ownership, a clearly outlined procedure for reporting risk status and channeling that information directly to the executives involved with the audit committee are key steps to the process.

Defining the Scope of the IT Risk Assessment
Internally, it is hard to confine IT to a single department because of its pervasiveness. Today, using the concept of virtualization, a single server might include applications that support both Department A and B. Thus, looking at the application risks by department gets more complicated. It is hard to separate out IT risks in a stovepipe manner. In the past, a company may have had two physical servers — each porting to a different department.

Another key aspect of the risk profile is that in today’s environment, there is a lot of outsourcing and processing conducted by third-party organizations; the risk that those vendors represent needs to be understood. Many times SAS70 reports (accepted reports independently conducted by Certified Public Accounting firms) become the reason why a company relies on how vendors are treating their information and managing their IT infrastructure and associated data.

Companies need to look at expanding on what those SAS70s are telling them and potentially adding a more robust vendor risk assessment process. This could also mean having a right-to-audit clause in the contract of a third-party vendor — one that allows companies closer scrutiny of the IT environment and a clearer understanding of the process for managing it.

Who needs to be involved in the IT risk assessment? From a vendor perspective it is probably a combination of IT, procurement and business representatives depending on what is being outsourced. For example, from a payroll perspective, appropriate people from that critical business department should participate. From the view of an internal assessment based on IT risk assessment, typically it would involve a combination of internal audit, IT, chief risk officer team personnel and affected business owners.

A Specific Role for Internal Audit
IT must be an active participant in the risk assessment process because of its understanding of the day-to-day environment and perspective on how that environment relates to the processes and procedures used by the company. However, it is up to internal audit to probe beyond the face value of IT’s account of its activities and how it views the risk environment. Internal audit should look at ways to obtain hard, quantifiable confirmation on the risk picture from IT assets and from critical infrastructure components in order to fully understand the environment.

Meanwhile, senior management as well as the audit committee must be kept apprised of the risk assessment results making sure appropriate ownership from any IT risk is given to them. Plugging into and having ownership of risks and the risk processes are important in helping to facilitate access to the right people, establishing ongoing reporting and showing interest in the reporting of potentially critical risks. Without that support for the risk process, it loses steam and its ability to be sustainable and regularly updated.

Automated controls often reduce the risk when you start talking about processes or applications that support the IT environment. Because there is no manual intervention, such controls frequently reduce testing steps and the potential for human error; so the more tools and technology that are injected into the IT environment, eliminating the hands-on requirement of heavily manual processes, the better.

An example of a process ripe for automation is change management. There are tools that automate the process of moving application code and data from one environment all the way up to production. These tools become a repository and audit trail record to make sure information can be tracked. They also automate how the components are managed throughout the process environment.

Similarly, there are tools that manage security administration, monitor the security environment, provide perspective from results and help categorize risk. That information, collected on an ongoing basis, helps companies know what is happening and when.

The final extended component of a robust risk assessment process is to do a facilitated session. That is, get business and IT leaders together to discuss and prioritize risks. It helps build an understanding of what IT risks are and insure linkage to their impact on the business.

Next Steps
The internal audit group will put together a roadmap of proposed audits to be conducted throughout the year; audits are one step to insure accountability in managing the risks. A second step would be to assign owners to the risk from an IT perspective based on role and responsibility. And lastly, insure that there is ongoing reporting of what steps are being taken to address such risk throughout the year.

Reporting helps to formalize the process, but internal audit should find ways to continue to meet with IT throughout the year – just to check and see what is new in the environment. Internal audit, as well as those on the front lines, should keep track of any changes on the business side; keeping in mind it could have implications on the IT risk profile.

Download the PDF:

Creating-and-executing-a-robust-IT-risk-assessment.pdf

Related Resources can be found on KnowledgeLeader: Password is required. Free trials are available to non-subscribers.

IT Risk Assessment Poll
Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley
View All Global Technology Audit Guides (GTAG®)
Using High Value IT Audits to Add Value and Evaluate Key Risks and Controls


Site Map \| Glossary \|Terms of Use \| Privacy Policy \| Site Feedback \| Media Center \| Events

© 2012 Protiviti Inc. All Rights Reserved.