Professional Documents
Culture Documents
Risk
Management
Practical guidance
on how to prepare for
successful audits
www.ITCinstitute.com
REPRINTED WITH THE PERMISSION OF 1105 MEDIA, INC.
PRESENTED COURTESY OF TRUTH TO POWER (T2P):
ITCi’s primary goal is to be a useful and trusted resource 5 The Auditor’s Perspective on Risk Management
No part of this publication may be reproduced, stored in a retrieval system, or Controls for Risk Management
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning, or otherwise, except as permitted under § 107 or 108 of the - Audit Reporting
1976 United States Copyright Act, without the prior written permission of the
copyright holder.
Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, 12 Preparing for an Audit
and authors have used their best efforts in preparing this work, they make no
representations or warranties with respect to the accuracy or completeness of
the contents of this book and specifically disclaim any implied warranties of 13 Effectively Communicating with Auditors
merchantability or fitness for a particular purpose. No warranty may be created
or extended by sales representatives or written sales materials. The advice and
strategies contained herein may not be usable for your situation. You should consult
with a professional where appropriate. Neither the publishers nor authors shall be 14 Appendix—Other Resources
liable for any loss of profit or any other commercial damages, including, but not
limited to, special, incidental, consequential, or other damages.
All trademarks cited herein are the property of their respective owners.
EXECUTIVE OVERVIEW
www.ITCinstitute.com
Reprinted with permission 2
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
INTRODUCTION TO
RISK MANAGMENT
Over the past few years, the importance to corporate What Is Enterprise Risk Management ?
governance of effectively managing risk has been widely
acknowledged and accepted. Organizations are under According to COSO,1 Enterprise Risk Management (ERM)
ever more pressure to identify their key business risks is “A process, effected by an entity’s board of directors,
and to manage those risks at an acceptable level. An management, and other personnel, applied in strategy
expanding universe of business threats, more detailed setting and across the enterprise, designed to identify
compliance reporting requirements, and the increasing potential events that may affect the entity, manage risk
complexity of business itself all indicate the need for to be within its risk appetite, and to provide reasonable
formalized programs of risk management. In many cases, assurance regarding the achievement of entity objectives.”
companies are attempting to consolidate all of their risk
management efforts into a comprehensive, companywide ERM is both an input and output of governance and
practice called enterprise risk management (ERM). compliance. As an input, risk management defines
tolerances and thresholds that can and should be used to
Although ERM is integral to compliance with Sarbanes- set the scope and focus of compliance functions—both
Oxley (SOX) and Basel II, the regulatory mandate for managerial and auditing. As an output, risk management
solid risk management practices goes beyond financial is an auditable and definable set of conditions,
management acts. Growing privacy and security procedures, processes, and polices that define a
awareness among consumers, companies, media, and company’s ability to recognize and address risk factors.
elected officials, have prompted the incorporation of risk
management best practices into new laws and regulations
What Are the Benefits of ERM?
that define higher operating, security, privacy, and data
management standards for organizations. Industry best Business is, by nature, fraught with uncertainty. A
practices of yesterday are being replaced with legal formal ERM program provides a framework by which a
demands to ensure that organizations’ governance, company can more completely understand itself and the
internal controls, network infrastructure, business environmental factors that act upon its business. The
processes, and operations are safe, sound, and secure. benefits of ERM are thus the business benefits that any
And new laws and regulations dictate (more than ever) company could realize by holistically increasing its self-
how businesses must govern, work, communicate, and knowledge and reducing managerial uncertainty.
securely interact throughout the organization and with
external parties such as suppliers, customers, vendors, Many of the most sensational corporate failures in recent
and strategic partners. years were predicated on risk opacity—the inability of
companies to understand the risks that their business
Naturally, as companies dedicate more attention and practices were incurring and the risk that market and
resources to ERM, the internal audit function follows suit. other factors were imposing upon them. In many cases,
Internal auditors are increasing the frequency, scope, the problem was not simply that companies did not
and “depth” of their assessments of risk management see risk indicators, but that, even when indicators were
processes and programs. apparent, the companies lacked any meaningful way to
1
The Committee of Sponsoring Organizations of the Treadway Commission (COSO),
http://www.coso.org
www.ITCinstitute.com
Reprinted with permission 3
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
quantify their potential impact. Moreover, they had no Internal auditors in both assurance and consulting roles
way to reach a corporate consensus on whether specific contribute to ERM in a variety of ways, such as evaluating
risks were acceptable or to what degree they should to be the effectiveness of and recommending improvements to
mitigated. By contrast, a formal ERM program: ERM processes.2 Before internal auditors address ERM,
however, the entire organization should fully understand
• Promotes a broader understanding of risks across
management’s responsibility for risk management.
the organization
Auditors’ exact roles in relation to ERM depend on
• Enables board members and other decision makers to the maturity of the organization’s efforts. In general,
recognize risks and formulate appropriate responses however, auditors:
• Tracks what is being done by whom to mitigate • Assure management and the board that all that
observed risks should be done is being done
• Allows decision makers to more quickly recognize • Provide guidance on control effectiveness and
and assess emerging risks feedback on managerial decisions and results
• Helps companies to assess and manage risks more • Independently and objectively assess the
quickly than competitors organization’s efforts to protect itself against current
and emerging risks
• Enables companies to evaluate risks in context,
realizing when a perceived risk is actually
Internal auditors must also take a risk-based approach in
an opportunity
planning their audit activities. This approach allows both
auditors and the business to focus on efforts and factors
Who Is Responsible for ERM? that matter most. With limited resources, auditors should
The practice of managing risk has traditionally been focus on the highest-risk project areas and always strive
placed with individual business units or parts of to add value to the organization. Auditors shouldn’t
units and, to a lesser extent, distributed across the make risk-management decisions; their role is to advise
organization. In contrast, ERM deals with risks and and comment on managerial processes and decisions and
opportunities affecting the creation or preservation of the organization’s efforts.
the entire organization’s value.
Organizations that don’t have a central ERM program
Accordingly, everyone in the organization has a role in often implement risk management by functional area—
ensuring successful ERM, although management bears or perhaps through several centers of management
the primary responsibility for identifying and managing excellence (for financial risk, commodity risk, market
risk and implementing ERM with a structured, consistent, risk, environment health and safety risk, social risk,
and coordinated approach. Boards of directors and political risk, supply chain risk, etc.) For such cases,
their non-corporate equivalents have an overarching the principles in this paper also apply to those specific
responsibility to monitor ERM program efforts and departments or risk types.
obtain credible assurance that the organization’s risks are
being acceptably managed. More organizations are also
appointing chief risk officers to give authority and focus
to this important long-term effort.
2
The IIA International Standards for the Professional Practice of Internal Auditing
(Standards) specify that the scope of internal auditing should encompass evaluating
risk management and control systems.
www.ITCinstitute.com
Reprinted with permission 4
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
Why Audit?
Audits are opportunities for companies to improve, based objectives—and certainly different issues and challenges.
on auditor analysis and advice. To preserve the integrity There is no one-size-fits-all audit process, nor one audit
and authority of audits, auditors maintain a delicate approach that fits all situations. However, all audit efforts
balance between offering advice and making decisions. focus on identifying key goals, issues, and challenges,
and assessing the organizational efforts to succeed.
For each company, the parameters of auditor
responsibility should be At the macro level, audit risk
documented in an internal assessments and the development
audit charter and approved by of the audit universe and
the audit committee. According
An audit litmus test supporting audit plans should
to “The Role of Internal has always been, “Has be completed at least annually,
Audit in Enterprise-wide Risk and sometimes more frequently.
Management,” by The Institute
accountability been At the micro level, an audit risk
of Internal Auditors (IIA), the established and is it assessment of the various entities
core internal audit role regarding being audited is completed
ERM is, generally, to provide
effective and efficient?” to support the audit plan
assurance that significant risks Another key audit test is, (sometimes also referred to as
are being considered in day-to- the audit “terms of reference”).
day decision making. In providing
“Overall, is the program Planning for each audit requires
this assurance, auditors evaluate well performing?” thoughtful consideration of the
risk efforts and discuss their many risks and opportunities
findings with management. In facing the organization.
addition to evaluating ERM
efforts, auditors may also act as champions of ERM The size and complexity of various organizations’ audit
by helping managers to identify and evaluate risks, efforts are very diverse, due to differences in operating
promoting the use of an ERM framework, and advising environments, goals, and objectives of each organization.
managers on appropriate tactical and strategic risk In addition, the scope of audits can also vary from
management responses. project to project, depending on auditor’s focus (e.g.,
management, technical controls, etc.) This possible
Ultimately, however, business managers, not auditors, diversity of audit focus is another reason management
must be responsible for risk management. According should communicate with auditors early and often for
to the IIA, auditors should not set the company’s risk every audit project.
threshold (determine what is and isn’t acceptable),
dictate risk management processes, implement ERM
responses, or make decisions about what responses
to make. Each organization has different goals and
www.ITCinstitute.com
Reprinted with permission 5
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
During audit reporting management receives and Managers and auditors should work together throughout the audit process
reviews the findings of auditors, plans and develops to ensure that auditors pursue appropriate goals and have proper insight
into IT and business processes. Good communication throughout the audit
corrective actions, and implements change.
process helps ensure that audit findings are relevant and can be used to
benefit the company.
www.ITCinstitute.com
Reprinted with permission 6
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
Accordingly, auditors and managers should work to A balance of short- and long-term focus, for both
help each other reach common goals—auditors striving objectives and results
to earnestly, honestly, and completely assess program
effectiveness, and management working to help auditors Staff development, in terms of knowledge, skills,
make valid assessments. In that vein, there are some productivity, and other metrics
typical program characteristics and managerial processes
An engaged workforce and management team
that auditors do and don’t like to see. As in all aspects
of audit and risk management programs, auditor likes
Auditors Don’t Like...
and dislikes vary by company; however, the following list
itemizes typical indicators of good and bad audits.
Interviewing defensive or uninformed managers
and executives
www.ITCinstitute.com
Reprinted with permission 7
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
(Not) forecasting audit requirements and (not) being Work with the audit team to draw up a staff
overly reactionary to auditor requests interview schedule as part of the planning effort.
Update the schedule as necessary during the audit
(Not) ensuring key staff are available to auditors, fieldwork phase, if circumstances change.
especially at critical milestones
In many situations, a single point of contact for each
(Not) informing relevant staff about the audit and its
audited program will provide the vast majority of
goals, impacting the time and effort auditors must
documentation to the audit team. The role of that
spend to explain the audit to affected personnel
individual—and, indeed, for all auditor contacts—is
to ensure that the audit team receives accurate and
Additionally, executives and senior management can
adequate information for the task. Auditors will still use
encourage beneficial audit results by ensuring that:
their professional judgment to determine if and when
additional sources of information (other staff interviews)
The audit team is adequately staffed, according to the are required. The audit team will also conduct a variety
needs of the organization of audit tests, if necessary, to confirm their audit analysis.
3
The audit team is always expected to ensure all their interactions (with all staff) are
professional and result in a minimal disruption.
www.ITCinstitute.com
Reprinted with permission 8
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
RISK MANAGEMENT
AUDIT CHECKLIST
www.ITCinstitute.com
Reprinted with permission 9
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
Auditors evaluate performance metrics established for Risk management performance is measured
the risk management program: which metrics exist,
__ Performance metrics are established
how they are applied, how often they are monitored,
and documented
and how deviations are handled
__ A monitoring program has been established
Auditors evaluate monitoring metrics for ERM,
determine whether they provide useful information and is regularly completed by management
Auditors assess whether risk management controls A risk management business plan exists
are sufficiently preventive, as well as detective
A risk management budget exists
Auditors define tests to confirm the operational
effectiveness of risk management activities. Such tests A continuous improvement program is in place and
might include interviews with management and staff, operating effectively
documentation reviews, data analysis, assessment of
management reporting, and sampling of the results
of recent initiatives.
www.ITCinstitute.com
Reprinted with permission 10
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
Rules and requirements exist and have been The following are typical steps an audit team takes to
documented for specific risk management initiatives confirm and release the audit results. 5
and efforts (e.g., treasury financial-risk management
controls; IT operational risk management processes Auditors debrief management, formally discussing
and controls, and so forth) significant audit findings and conclusions before they
issue the final audit report
Staff adherence to risk management policies and
procedures are regularly and formally evaluated Managers receive a written draft report from auditors
A supervisory review of key management reports and __ The report communicates audit results clearly
operating results occurs regularly and precisely
__ User access controls exist for critical computer Management provides feedback on the draft report
applications
Auditors review managerial comments and
action plan(s)
__ User access controls exist for databases and other
repositories of sensitive data Auditors finalize and distribute the final audit report
5
In organizations with established internal audit functions, there may be standard
operating procedures (SOP) for audit reporting (and other audit activities). If so,
these audit SOPs should be reviewed and understood by management.
www.ITCinstitute.com
Reprinted with permission 11
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
PREPARING FOR AN
INTERNAL AUDIT
www.ITCinstitute.com
Reprinted with permission 12
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
EFFECTIVELY COMMUNICATING
WITH AUDITORS
www.ITCinstitute.com
Reprinted with permission 13
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
APPENDIX—OTHER RESOURCES
1. The Committee of Sponsoring Organizations of the
Treadway Commission (COSO); http://www.coso.org
www.ITCinstitute.com
Reprinted with permission 14
IT AUDIT CHECKLIST: RISK MANAGEMENT
PRESENTED COURTESY OF TRUTH TO POWER (T2P)
www.ITCinstitute.com
Reprinted with permission 15