Professional Documents
Culture Documents
PREPARED BY:
DATE:
INSTRUCTIONS: 1. Enter Year, Prepared By, and Date in appropriate Cells.
2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11.
3. Alter the weights in Cells C15..L15 to suit your risk model.
The weights should sum to 1.00 (shown in Cell M15).
4. Enter the auditable units of the audit universe in column B.
The associated Audit Numbers may be assigned and entered in column A.
5. Evaluate each auditable unit (audit) by assigning a score (1= low, 3= high) for each
risk factor used in the model. The total risk score will be shown in column M.
6. The spreadsheet data may be sorted (recommended) to prioritze the auditable units.
FACTORS F1 F2 F3 F4 F5 F6 F7
WEIGHTS 0.1 0.1 0.1 0.1 0.1 0.1 0.1
AUDIT # AUDIT UNIVERSE
YEAR: RISK FACTORS
F1
Wksht7b.xls F2
F3
F4
F5
F6
F7
F8
w, 3= high) for each F9
in column M. F10
e the auditable units.
F8 F9 F10 TOTAL
0.1 0.1 0.1 1.00
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
SORTED RISK ASSESMENT MATRIX Worksheet
AUDITOR: AUDIT: DATA CENTER RISK IDENTIFICATIO
DATE:
POLICIES AND
1 PROCEDURE
PHYSICAL
4 PROTECTION
LOGICAL
5 PROTECTION
6 PEOPLE
7 POWER
x
x
INSTRUCTIONS: 1. Enter Auditor, Date, Audit in the spaces provided.
2. Enter Components (up to a maximum of 12) in Cells B8..B20.
3. Assign Threats (up to a maximum of 12) to the Threat Axis (T1..T12 in Cells C5..N5).
# THREAT Threats can be documented by listing them in Cells B27..B38.
T1 4. Rank the Threats by choosing the most significant (assigning it the highest number)
T2 and the least significant (assigning it "1"), and so for with next-most and next-least.
T3 If there are 9 Threats, the highest value = 9, etc.
T4 Place the rankings in the RANK row Cells C6..N6.
T5 5. Use the "Data Sort" command to rearrange Cells C5..N6 (2 rows),
T6 using Cell C6 as the Primary Key and Sort Order Descending.
T7 6. Similarly, rank the Components using Cells A8..A20, with the most important component
T8 receiving the highest value (if 10 Components, the highest = 10, etc.).
T9 7. Use the "Data Sort" command to rearrange Cells A8..B20 (2 columns),
T10 using Cell A8 as the Primary Key and Sort Order Descending.
T11 8. The matrix should now be sorted to reflect the highest risks in the upper left corner
T12 and the lowest risks in the lower right corner (depending on matrix size).
The matrix will register the number of cells to be marked HIGH RISK (Cell H10).
AUDIT:
TA CENTER RISK IDENTIFICATION
DATA KEY
CORRUPTI NATURAL POWER COMPONENT
FIRE INTRUDERS ON HACKERS DISASTER OUTAGE FAILURE
5 6 7 8 9 10 11
Inappropriate access to
processing environment and
the programs or data that are
stored in that environment.
Definition:
the organization does not have an
effective information technology
infrastructure (hardware, networks,
software, people and processes) to
effectively support the current and
future needs of the business in an
efficient, cost-effective and well-
controlled fashion. These risks are
associated with the series of
Information Technology (I/T)
processes used to define, develop,
maintain and operate an information
processing environment (e.g.,
computer hardware, networks, etc.)
and the associated application
systems (e.g., customer service,
accounts payable, etc.).
Domain Policies
Data, Applications,
Report
Business Process How to separate incompatible duties within
an organization and how to provide the
correct level of empowerment to perform a
function.
Rank
APPLICATION
SYST 0 0 0 0 0
APPLICATION
NETWORK
Total Change
Integrity Risk User Interface Processing Error Processing Interface Management
COMPONENTS
whether there are adequate whether there are adequate whether there are whether there are These risks are
restrictions over which individuals in preventive or detective adequate processes adequate preventive or associated with
an organization are authorized to balancing and reconciliation and other system detective controls to inadequate change
perform business/system functions controls to ensure that data methods to ensure that ensure that data that has management
based on their job need and the need processing has been any data been processed and/or processes include
to enforce a reasonable segregation complete and timely. This entry/processing summarized is user involvement
of duties. Other risks in this area risk area also encompasses exceptions that are adequately and and training as well
relate to the adequacy of preventive risks associated with the captured are completely transmitted to as the process by
and/or detective controls that ensure accuracy and integrity of adequately corrected and processed by which changes to
that only valid data can be entered reports (whether or not they and reprocessed another application any aspect of an
into a system and that the data is are printed) used to accurately, completely system that it feeds application system
complete. summarize results and/or and on a timely basis data/information to. is both
make business decisions. communicated and
implemented.
Rank
0
Data
0
Risk associated
with disasters
COMPON Rank
ENTS
that the definition of in this area ensure that The processes in
how I/T will impact application systems this area ensure
the business are meet both business that the
clearly defined and and user needs. These organization
articulated. It is processes encompass adequately
important to have the process of addresses the
adequate executive determining whether to Access risks by
level support and buy an existing establishing,
buy-in to this application system or maintaining and
direction and an to develop a custom monitoring a
adequate solution. These comprehensive
organizational processes also ensure system of
(people and that any changes to internal security
process) planning application systems that meets
to ensure that I/T (whether they are management’s
efforts will be purchased or policies with
successful. developed) follow a respect to the
defined process that integrity and
ensures that critical confidentiality of
process/control points the data and
are consistently information
adhered to (e.g., all within the
changes are tested and organization and
approved by users an organization’s
prior to need to reduce it
implementation). Empowerment
and Fraud risks
to acceptable
levels.
0
Computer and Data & Business data center
network operation database recovery
manage
ment