With the increasing complexity of IT systems and their widespread implementation in virtually all spheres of life (e.g., medicine, banking, manufacturing, education), managing IT risk effectively becomes extremely challenging. In the most IT-mature industries, regulators already expect organizations to have mature IT risk management programs operating at the first and second lines of defense1 and providing holistic coverage of all possible IT risk. On top of that, IT risk management programs must be well documented, sustainable, aligned with the overall enterprise risk management framework and closely supervised by executive management. Failure to design and manage effective IT risk management functions could result in exposure to material business risk, inadequate prioritization of risk remediation efforts and the excessive cost for IT risk mitigation. Regular internal audit reviews of IT risk management constitute the third line of defense, keep the first and second lines fit and healthy, and prevent typical slip ups in the IT risk management program.
The steps needed to be done by the third line to evaluate the effectiveness of the IT risk management program are the focus here. Key challenges for IS auditors may include gaps between IT and operational risk management functions, missing or unfilled IT risk management roles, undefined risk indicators and a lack of clear understanding of key IT issues at top management levels. In addition, a well-designed control framework should be supported by effective and sustainable operational execution. Industry best practices and frameworks such as COBIT can help tackle these challenges, save time and add structure to the audit approach. Also, they define principles that contribute to consistent, comparable and reliable results.
Five Steps to Maximize Value and Efficiency in IS Audits
IS auditors must consider many factors adding complexity to planning and execution of audit projects focused on the IT risk management program. Adapting ISACA’s IT Risk Management Audit/Assurance Program and following a clear 5-step process can help enterprises reach comprehensive audit conclusions, add value and improve the organization.
Step 1: Prepare by Mapping to Relevant Standards
The ISACA audit program is based on COBIT 5 and, COBIT 2019 is consistent with recognized best practices, standards and frameworks. ISACA designed and created the IT Risk Management Audit/Assurance Program primarily as a supplemental resource for audit professionals. It needs to be tailored to the specific industry and circumstances presented by the particular systems or information technology environment. IS auditors are encouraged to apply their professional judgment to ensure that all proper information, procedures and tests are included in the audit program. Moreover, in some industries, regulators might have increased expectations around the maturity of IT risk management programs. To avoid the associated compliance risk and potential fines, it is important to verify that mandatory regulatory requirements are not overlooked during the planning phase. Thus, as a first step, IS auditors should map the audit program to relevant industry regulation, standards and guidelines. This exercise will help reveal potential gaps in the list of control objectives proposed by ISACA compared to the specific circumstances of the enterprise. For example, the requirements of the FFIEC IT Examination Handbook2 are applicable for the financial industry in the United States. The requirements of the US National Institute for Standards and Technology (NIST) Special Publication 800-37 Rev. 2 Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy3 and International Organization for Standardization (ISO) ISO 31000—Risk management4 are used in the public sector. In most cases, the ISACA program will not require a lot of changes. The key point is to verify that the mandatory regulatory requirements for a specific industry are taken into consideration.
Step 2: Adjust for Audit Scope and Objectives
After aligning the program with industry standards and requirements, further adjustment regarding audit scope and objectives should be considered. The ISACA program proposes 21 predefined controls mapped to 7 control objectives (COs). The COs address IT risk governance and framework, management processes, events identification, assessment and response, and maintenance and monitoring of remediation action plans. The IS auditor might include all control objectives in the audit program, or only some of them, if the scope is limited to specific themes (e.g., annual risk assessment, risk monitoring and reporting).
Step 3: Prioritize Controls and Align to Budget
After confirming relevance and completeness of control objectives, IS auditors may proceed with a preliminary analysis of IT risk management processes by identifying existing controls and potential weaknesses. Assessing inherent and residual risk for each process helps to prioritize the areas requiring the most attention and budget. ISACA control objectives are self-contained and can be distributed among audit team members and tested in parallel. To simplify coordination, auditors may group testing of governance (CO1) and IT risk management framework (CO2) controls, and also IT risk management process (CO3), risk assessment (CO5) and risk response (CO6) controls. Testing of IT risk event identification (CO4) and maintenance and monitoring of IT risk action plans (CO7) can be reviewed simultaneously with other controls.
Step 4: Test Controls
Testing is the most labor-intensive step. Reviewing the governance (CO1) and IT risk management framework (CO2) controls, IS auditors should ensure that senior IT and enterprise management and the board of directors (BoD) regularly and routinely consider, monitor and review the IT risk management function and define the organization’s appetite for IT risk. Inspecting minutes of recent board meetings, interviewing IT management and reviewing documentation of IT risk management practices can inform conclusions about governance. The IS auditor should determine whether IT risk management framework methodology and definitions align with the enterprise resource monitoring (ERM) framework by checking scales used for risk classification in IT and ERM processes (e.g., probability, expected losses/costs, materiality levels, nonfinancial factors).
To test the IT risk management process (CO3) controls, the IS auditor should determine whether the defined risk management framework is actually enforced; therefore, the auditor must understand the existing process for risk identification and verify that a common approach is used to identify, assess and record risk across departments; to review criteria for measuring risk impact, probability and timeframes; and to prioritize risk. The auditor should ensure that the risk process is well documented and shared with the relevant teams.
While reviewing the risk event identification (CO4) controls, the IS auditor should determine whether the important risk events and near misses affecting the IT function are identified, analyzed, risk rated and documented. Then, as part of the IT risk assessment (CO5) review, the IS auditor should ensure that IT risk scenarios are assessed on a recurring basis using qualitative and quantitative methods that assess the likelihood (probability) and impact of identified risk (figure 1).5
Figure 1—Risk Scenario Overview
Source: ISACA, COBIT 5 for Risk, USA, 2013. Reprinted with permission.
For each identified risk, an organization should define and implement the IT risk response (CO6). To ensure proper execution, the IS auditor must confirm that the risk assessment generated a risk mitigation strategy and a risk action plan. The IT risk action plan produced in the previous step should be monitored by management for appropriate execution, incurred costs, benefits and residual risk (CO7). The IS auditor can confirm the effectiveness of this process by reviewing recent risk response plans and performing limited retesting of implemented controls.
Step 5: Consolidate and Present Results
Once control testing is completed, the IS auditor will have a comprehensive view of the IT risk management program, including its integration into the ERM framework; the overall governance, roles and responsibilities of main contributors; and the level of IT risk appetite within the organization. Opinions can be prepared for each of the tested control objectives, and the auditor may inform management of the reasons for passing/failing the sections, highlight any weak areas and demonstrate potential impacts on the organization.
IT risk management is evolving rapidly in response to an array of emerging technologies and threats; thus, auditors responsible for its assessment increasingly encounter new obstacles and ambiguity. However, by utilizing industry best practices such as those informing ISACA’s IT Risk Management Audit/Assurance Program, COBIT 5 and COBIT 2019, the IT auditor’s task can be more manageable. By properly adopting the program, IS auditors can design an orderly and standardized approach, increase the efficiency of audit work, and gain a comprehensive view of the enterprise’s risk management program.
Alexander Obraztsov, CISA, CISSP, PMP
Is an experienced IT risk and assurance professional working in the Corporate and Investment Banking division of Societe Generale in New York (USA). He has more than 12 years of expertise in technology, information security and audit. Obraztsov has completed a significant number of projects improving IT governance and operational management, strengthening IT asset protection and the overall information security function, improving management of IT risk, and increasing compliance with regulatory requirements for IT in the financial sector in Europe and the United States. He has been an active volunteer and contributor to the ISACA community since 2017. Obraztsov can be reached at https://www.linkedin.com/in/alexander-obraztsov-6ab54928/.
1 Institute of Internal Auditors (IIA), IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, USA, 2013
2 Federal Financial Institutions Examination Council (FFIEC), IT Examination Handbook InfoBase, USA
3 National Institute of Standards and Technologies, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Special Publication 800-37 Rev. 2, USA, 2018
4 International Organization for Standardization, ISO 31000 – Risk management, 2018
5 For approaches to risk scenarios within COBIT 5, see ISACA, COBIT 5 for Risk, USA, 2013, chapter 2 Risk Scenarios