SlideShare uma empresa Scribd logo

IT Risk Assessments

Transferir como PPTX, PDF
Brian Campbell
Brian Campbell

Developing the IT Audit Plan

Negócios
1 de 9
Rockland Professional Services, LLC © 2016 All Rights Reserved IT Risk Assessments Developing the IT Audit Plan
Rockland Professional Services, LLC © 2016 All Rights Reserved 2 2. Identify the IT Universe Methodology 1. Understand the Business 3. Conduct the Risk Assessment 4. Prepare the Report Introduction IT Risk Assessments Table of Contents
Rockland Professional Services, LLC © 2016 All Rights Reserved 3 IT Risk Assessments Introduction Rockland Professional Services, LLC ("Rockland Pros"​) is a consulting firm that assists clients who face challenges with finance, business operations, and technology. Our core services include Internal Audit, Business & IT Advisory, Cyber Security, Data Privacy, and Regulatory Compliance. Rockland Pros performs IT risk assessments through the use of its standard methodology, which aligns with standards and guidelines set forth by the Institute of Internal Auditors (IIA). To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. ~ Revised Standards, Effective 1 January 2017
Rockland Professional Services, LLC © 2016 All Rights Reserved 4 IT Risk Assessments Methodology Our IT risk assessment methodology enables the internal audit function to understand the organization and the level of IT support received, define and understand the IT environment, identify the role of risk assessment in determining the IT universe, and formalize the IT audit plan. Our systematic process is based on several industry standards and frameworks (e.g., COSO, COBIT, NIST, ISO, ITIL), and is divided into the four phases depicted below. Understand the Business • Understand the organization’s strategies and key business objectives. • Understand how the organization structures its business operations. • Understand how the organization structures the IT service support model. • Obtain agreement on how the organization structures its business operations and IT service support model. Identify the IT Universe • Identify the applications used to support the critical business operations. • Identify the infrastructure used to support the critical applications. • Identify the current IT projects and initiatives. • Obtain agreement on the scope of the IT Universe. Conduct the Risk Assessment • Assess the critical applications based on a standard set of risk factors. • Assess the supporting infrastructure based on a standard set of risk factors. • Assess the IT processes based on a standard set of risk factors. • Assess the organization’s project management capabilities based on a standard set of risk factors. • Obtain agreement on the results of the risk assessment (i.e., significance, likelihood). Prepare the Report • Summarize the critical data obtained through out the IT risk assessment. • Prepare a risk heat map. • Draft an IT audit plan. • Obtain agreement on the final report.
Rockland Professional Services, LLC © 2016 All Rights Reserved 5 IT Risk Assessments Understanding the Business Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The first phase in conducting the IT risk assessment is to understand the business. This includes the strategies, objectives, and business models – which create unique business risks for each organization. During this phase, Rockland Pros conducts interviews with key stakeholders within the business and IT functions in order to understand the overall structure of the company’s operations and its support models. Rockland Pros works with management to identify the critical business processes and the IT processes implemented to support the organization’s strategies and objectives. Global Technology Audit Guide: Developing the IT Audit Plan. Figure adapted and revised from: IT Control Objectives for Sarbanes- Oxley, 2nd Ed., used by permission of the IT Governance Institute (ITGI). ©2006 ITGI.
Rockland Professional Services, LLC © 2016 All Rights Reserved 6 IT Risk Assessments Identify the IT Universe The next phase of the IT audit risk assessment is to identify the IT universe. This includes the information systems employed to support the critical business processes, and the significant projects undertaken to achieve the strategies and objectives of the organization. Rockland Pros identifies the applications, infrastructure and projects that make up the IT universe. Information gathering takes place through one or more of the following activities: This inventory, which includes a mapping of the applications to the critical business processes, becomes the foundation for conducting the risk assessment. Review Documentation Conduct Interviews Facilitate Workshops Submit Questionnaires Identify the IT Universe Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report
Rockland Professional Services, LLC © 2016 All Rights Reserved 7 IT Risk Assessments Conduct the Risk Assessment Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The third phase of the IT risk assessment is to conduct the risk assessment using a standardized approach, designed to measure the level of risk associated with the IT universe based on impact and likelihood. Rockland Pros assesses the critical applications, infrastructure, IT processes, and projects using a standard set of risk criteria. Impact and likelihood is measured using a high, medium and low scale – averaged across each of the risk criteria in order to calculate a weighted risk score and determine the inherent risk. Criteria System Changes Availability / Stability Sensitivity Complexity Level of Customization Transaction Volume Criteria Reliability / Consistency Technology Leverage Results Management Resource Skill Level Complexity / Coordination Level Criteria Criticality Project Management Experience Executive Ownership Process & Control Re- engineering Development Platform Project Budget Criteria Strategic Operational Legal / Regulatory Compliance Financial Reporting Financial Exposure Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria Risk Ranking Weight 20% 15% 20% 15% 15% 15% Risk Ranking Weight 20% 20% 20% 20% 20% Risk Ranking Weight 20% 10% 10% 20% 20% 20% Risk Ranking Weight 20% 20% 20% 20% 20% Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria
Rockland Professional Services, LLC © 2016 All Rights Reserved 8 IT Risk Assessments Prepare the Report Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report At the completion of the IT risk assessment, Rockland Pros prepares a report containing the following: • An overview of the risk assessment, including the approach and methodology. • The IT universe – inventory of the applications, infrastructure, IT processes and projects. • Risk heat maps that compare likelihood and impact of the IT universe. • Interviewee list of personnel who participated in the risk assessment. • The risk criteria used to conduct the assessment.
Rockland Professional Services, LLC © 2016 All Rights Reserved 9 Contact Information Brian T Campbell Managing Partner Office: 845.418.4829 Mobile: 917.623.5679 E-mail: brian.campbell@rocklandpros.com

Recomendados

GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slidesInSync Conference
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterpriseGRC Solutions, Inc.
 
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud ServiceDane Roberts
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideAstalapulosListestos
 
#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General Session#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General SessionDane Roberts
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore.
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 

Recomendados

GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slidesInSync Conference
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterpriseGRC Solutions, Inc.
 
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud Service
#OOW16 - Introducing Oracle Financial Reporting Compliance Cloud ServiceDane Roberts
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideAstalapulosListestos
 
#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General Session#OOW16 - Risk Management Cloud / GRC General Session
#OOW16 - Risk Management Cloud / GRC General SessionDane Roberts
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore.
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideAstalapulosListestos
 
Introducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceIntroducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceDane Roberts
 
Swetana A Purohit
Swetana A PurohitSwetana A Purohit
Swetana A PurohitSwetana Purohit
 
#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access ControlsDane Roberts
 
Audit and compliance services
Audit and compliance servicesAudit and compliance services
Audit and compliance servicesNiraj Choudhary
 
How to Audit Non Financial Information
How to Audit Non Financial InformationHow to Audit Non Financial Information
How to Audit Non Financial InformationHernan Huwyler, MBA CPA
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanCaseWare IDEA
 
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...International Federation of Accountants
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Capability Design & Data Sourcing
Capability Design & Data SourcingCapability Design & Data Sourcing
Capability Design & Data Sourcingaccenture
 
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...Dane Roberts
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Robert Stroud
 
Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Ellie Ahmadi
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...Ed Sattar
 
Finance Reporting Offering
Finance Reporting OfferingFinance Reporting Offering
Finance Reporting Offeringaccenture
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Management Institution of Australasia
 
Cobit 5-one-page
Cobit 5-one-pageCobit 5-one-page
Cobit 5-one-pageIsmail aboulezz
 
Social media risks guide
Social media risks guideSocial media risks guide
Social media risks guideAstalapulosListestos
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013Mike Wright
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxkoushikDutta62
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the LensRobert Koehler, MsPM, PgMP, PMP, CGEIT
 

Mais conteúdo relacionado

Mais procurados

Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideAstalapulosListestos
 
Introducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceIntroducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceDane Roberts
 
#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access ControlsDane Roberts
 
Audit and compliance services
Audit and compliance servicesAudit and compliance services
Audit and compliance servicesNiraj Choudhary
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanCaseWare IDEA
 
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...International Federation of Accountants
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Capability Design & Data Sourcing
Capability Design & Data SourcingCapability Design & Data Sourcing
Capability Design & Data Sourcingaccenture
 
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...Dane Roberts
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Robert Stroud
 
Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Ellie Ahmadi
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...Ed Sattar
 
Finance Reporting Offering
Finance Reporting OfferingFinance Reporting Offering
Finance Reporting Offeringaccenture
 

Mais procurados (18)

Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guide
 
Introducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud ServiceIntroducing Oracle Advanced Financial Controls Cloud Service
Introducing Oracle Advanced Financial Controls Cloud Service
 
Swetana A Purohit
Swetana A PurohitSwetana A Purohit
Swetana A Purohit
 
#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls#OOW16 - Introduction to Advanced Access Controls
#OOW16 - Introduction to Advanced Access Controls
 
Audit and compliance services
Audit and compliance servicesAudit and compliance services
Audit and compliance services
 
How to Audit Non Financial Information
How to Audit Non Financial InformationHow to Audit Non Financial Information
How to Audit Non Financial Information
 
Integrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit PlanIntegrating Data Analytics into a Risk-Based Audit Plan
Integrating Data Analytics into a Risk-Based Audit Plan
 
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
Performing Audits Efficiently and Expanding Service Offerings: Global and Loc...
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Capability Design & Data Sourcing
Capability Design & Data SourcingCapability Design & Data Sourcing
Capability Design & Data Sourcing
 
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
#OOW16 - • Get Started with Financial Reporting Compliance and Advanced Finan...
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
 
Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?Protiviti's Tips - Will you be ready for an IPO when the market is?
Protiviti's Tips - Will you be ready for an IPO when the market is?
 
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
ASSE Safety 2016: Ed Sattar Speaks about Operational Risk and Regulatory Chan...
 
Finance Reporting Offering
Finance Reporting OfferingFinance Reporting Offering
Finance Reporting Offering
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and Implementation
 
Cobit 5-one-page
Cobit 5-one-pageCobit 5-one-page
Cobit 5-one-page
 
Social media risks guide
Social media risks guideSocial media risks guide
Social media risks guide
 

Semelhante a IT Risk Assessments

WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013Mike Wright
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxkoushikDutta62
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsSubhajit Bhuiya
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan MMohan M
 
Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qsPhong Ho
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Project Portfolio Optimization and Governance
Project Portfolio Optimization and GovernanceProject Portfolio Optimization and Governance
Project Portfolio Optimization and GovernanceValue Amplify Consulting
 
Lily Dzur_resume_c1
Lily Dzur_resume_c1Lily Dzur_resume_c1
Lily Dzur_resume_c1Lily Dzur
 
Cognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challengeCognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challengeAlan Hsiao
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007David Cunningham
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAPPECB
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysiswebmentorman
 

Semelhante a IT Risk Assessments (20)

WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Cyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptxCyber Security_Consultant_Nial Lande.pptx
Cyber Security_Consultant_Nial Lande.pptx
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the Lens
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
 
Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qs
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
Project Portfolio Optimization and Governance
Project Portfolio Optimization and GovernanceProject Portfolio Optimization and Governance
Project Portfolio Optimization and Governance
 
CV_Dale Bloom
CV_Dale BloomCV_Dale Bloom
CV_Dale Bloom
 
Dennis Batdorf resume
Dennis Batdorf resumeDennis Batdorf resume
Dennis Batdorf resume
 
Lily Dzur_resume_c1
Lily Dzur_resume_c1Lily Dzur_resume_c1
Lily Dzur_resume_c1
 
Cognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challengeCognitivo - Tackling the enterprise data quality challenge
Cognitivo - Tackling the enterprise data quality challenge
 
Nitish resume
Nitish resumeNitish resume
Nitish resume
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysis
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 

Último

Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistanvineshkumarsajnani12
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptxnandhinijagan9867
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGpr788182
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannaBusinessPlans
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon investment
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1kcpayne
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165meghakumariji156
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSpanmisemningshen123
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGpr788182
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPanhandleOilandGas
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowranineha57744
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGpr788182
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Falcon Invoice Discounting
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 

Último (20)

Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 

IT Risk Assessments

  • 1. Rockland Professional Services, LLC © 2016 All Rights Reserved IT Risk Assessments Developing the IT Audit Plan
  • 2. Rockland Professional Services, LLC © 2016 All Rights Reserved 2 2. Identify the IT Universe Methodology 1. Understand the Business 3. Conduct the Risk Assessment 4. Prepare the Report Introduction IT Risk Assessments Table of Contents
  • 3. Rockland Professional Services, LLC © 2016 All Rights Reserved 3 IT Risk Assessments Introduction Rockland Professional Services, LLC ("Rockland Pros"​) is a consulting firm that assists clients who face challenges with finance, business operations, and technology. Our core services include Internal Audit, Business & IT Advisory, Cyber Security, Data Privacy, and Regulatory Compliance. Rockland Pros performs IT risk assessments through the use of its standard methodology, which aligns with standards and guidelines set forth by the Institute of Internal Auditors (IIA). To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. ~ Revised Standards, Effective 1 January 2017
  • 4. Rockland Professional Services, LLC © 2016 All Rights Reserved 4 IT Risk Assessments Methodology Our IT risk assessment methodology enables the internal audit function to understand the organization and the level of IT support received, define and understand the IT environment, identify the role of risk assessment in determining the IT universe, and formalize the IT audit plan. Our systematic process is based on several industry standards and frameworks (e.g., COSO, COBIT, NIST, ISO, ITIL), and is divided into the four phases depicted below. Understand the Business • Understand the organization’s strategies and key business objectives. • Understand how the organization structures its business operations. • Understand how the organization structures the IT service support model. • Obtain agreement on how the organization structures its business operations and IT service support model. Identify the IT Universe • Identify the applications used to support the critical business operations. • Identify the infrastructure used to support the critical applications. • Identify the current IT projects and initiatives. • Obtain agreement on the scope of the IT Universe. Conduct the Risk Assessment • Assess the critical applications based on a standard set of risk factors. • Assess the supporting infrastructure based on a standard set of risk factors. • Assess the IT processes based on a standard set of risk factors. • Assess the organization’s project management capabilities based on a standard set of risk factors. • Obtain agreement on the results of the risk assessment (i.e., significance, likelihood). Prepare the Report • Summarize the critical data obtained through out the IT risk assessment. • Prepare a risk heat map. • Draft an IT audit plan. • Obtain agreement on the final report.
  • 5. Rockland Professional Services, LLC © 2016 All Rights Reserved 5 IT Risk Assessments Understanding the Business Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The first phase in conducting the IT risk assessment is to understand the business. This includes the strategies, objectives, and business models – which create unique business risks for each organization. During this phase, Rockland Pros conducts interviews with key stakeholders within the business and IT functions in order to understand the overall structure of the company’s operations and its support models. Rockland Pros works with management to identify the critical business processes and the IT processes implemented to support the organization’s strategies and objectives. Global Technology Audit Guide: Developing the IT Audit Plan. Figure adapted and revised from: IT Control Objectives for Sarbanes- Oxley, 2nd Ed., used by permission of the IT Governance Institute (ITGI). ©2006 ITGI.
  • 6. Rockland Professional Services, LLC © 2016 All Rights Reserved 6 IT Risk Assessments Identify the IT Universe The next phase of the IT audit risk assessment is to identify the IT universe. This includes the information systems employed to support the critical business processes, and the significant projects undertaken to achieve the strategies and objectives of the organization. Rockland Pros identifies the applications, infrastructure and projects that make up the IT universe. Information gathering takes place through one or more of the following activities: This inventory, which includes a mapping of the applications to the critical business processes, becomes the foundation for conducting the risk assessment. Review Documentation Conduct Interviews Facilitate Workshops Submit Questionnaires Identify the IT Universe Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report
  • 7. Rockland Professional Services, LLC © 2016 All Rights Reserved 7 IT Risk Assessments Conduct the Risk Assessment Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report The third phase of the IT risk assessment is to conduct the risk assessment using a standardized approach, designed to measure the level of risk associated with the IT universe based on impact and likelihood. Rockland Pros assesses the critical applications, infrastructure, IT processes, and projects using a standard set of risk criteria. Impact and likelihood is measured using a high, medium and low scale – averaged across each of the risk criteria in order to calculate a weighted risk score and determine the inherent risk. Criteria System Changes Availability / Stability Sensitivity Complexity Level of Customization Transaction Volume Criteria Reliability / Consistency Technology Leverage Results Management Resource Skill Level Complexity / Coordination Level Criteria Criticality Project Management Experience Executive Ownership Process & Control Re- engineering Development Platform Project Budget Criteria Strategic Operational Legal / Regulatory Compliance Financial Reporting Financial Exposure Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria Risk Ranking Weight 20% 15% 20% 15% 15% 15% Risk Ranking Weight 20% 20% 20% 20% 20% Risk Ranking Weight 20% 10% 10% 20% 20% 20% Risk Ranking Weight 20% 20% 20% 20% 20% Business Risk Factor Ranking Criteria Applications and Infrastructure Risk Ranking Criteria IT Processes - Risk Ranking Criteria IT Projects - Risk Ranking Criteria
  • 8. Rockland Professional Services, LLC © 2016 All Rights Reserved 8 IT Risk Assessments Prepare the Report Understand the Business Identify the IT Universe Conduct the Risk Assessment Prepare the Report At the completion of the IT risk assessment, Rockland Pros prepares a report containing the following: • An overview of the risk assessment, including the approach and methodology. • The IT universe – inventory of the applications, infrastructure, IT processes and projects. • Risk heat maps that compare likelihood and impact of the IT universe. • Interviewee list of personnel who participated in the risk assessment. • The risk criteria used to conduct the assessment.
  • 9. Rockland Professional Services, LLC © 2016 All Rights Reserved 9 Contact Information Brian T Campbell Managing Partner Office: 845.418.4829 Mobile: 917.623.5679 E-mail: brian.campbell@rocklandpros.com