The Accountant-May-June 2017

MANAGEMENT
risk, and personnel risk. To address risks
more effectively, organizations may use a
risk management approach that identifies,
assesses, manages, and controls potential
events or situations.
Among other things, the goal of
effective risk management is to ensure
that each risk is identified, documented,
prioritized, and mitigated whenever
possible. Because all organizations face
risk, whether positive (i.e., opportunities)
or negative (i.e., events that hinder
company processes), the challenge
for auditors is to know when risk will
occur and the impact it will have on the
organization.
In addition, auditors need to consider
the probability that the risk will occur.
For example, it may not be necessary
for the organization to worry about a
particular IT risk when the likelihood
that it will occur is significantly low
and its impact is low as well. However,
organizations should concentrate on lowprobability
risks that will have a highnegative
impact. As a result, looking at
the impact and probability of each risk is
important when establishing an effective
risk management program that addresses
company-wide risk.
The Risk Management
Process
When establishing a risk management
process or initiative, auditors should
recommend that organizations examine
best management practices in the area.
Typically, risk management plans have
the following objectives:
1. To eliminate negative risks.
2. To reduce risks to an “acceptable” level
if risks cannot be eliminated. This means
a risk level the organization can live with,
making sure that proper controls are in
place to keep risks within an acceptable
range.
3. To transfer risks by means of insurance
(i.e., insuring company assets for theft
or destruction, such as hurricane or fire
damage) or to transfer the risk to another
organization (i.e., using a third-party
vendor to install network equipment so
that the vendor is made responsible for
the installation’s success or failure).
Risk management consists of risk
assessments, risk mitigation, and ongoing
risk evaluations and assessments. The
risk assessment stage is where the
auditor identifies and evaluates each
risk, the impact these risks have on the
organization, and any risk-reducing
recommendations. The end result of the
risk assessment is to determine the extent
of the potential threat and its associated
risk, which is defined as the likelihood
that a given threat can exploit or take
advantage of a particular vulnerability. For
example, if an auditor is evaluating an IT
system, the threats to the system should
be analyzed in conjunction with potential
vulnerabilities and any implemented
controls.
The risk mitigation stage involves
prioritizing, implementing, and
maintaining appropriate risk-reduction
measures that are recommended in the
risk assessment process, while the ongoing
risk evaluation and assessment stage
asks that the organization continuously
evaluate their risk management activities
in reducing risks.
a) Identifying Risks
The risk assessment process begins with
the identification of risk categories. An
organization most likely will have several
risk categories to analyze and identify
risks that are specific to the organization.
Examples of risk categories include:
• Technical or IT risks.
• Project management risks.
• Organizational risks.
• Financial risks.
• External risks.
• Compliance risks.
For instance, technical risks are associated
with the operation of applications
or programs including computers
or perimeter security devices (e.g., a
computer that connects directly to the
Internet could be at risk if it does not
have antivirus software). An example of
a project management risk could be the
Likelihood Level
High
Medium
Low
Likelihood Definition
inadequacy of the project manager to
complete and deliver a project, causing the
company to delay the release of a product
to the marketplace. Organizational risks
deal with how the company’s infrastructure
relates to business operations and the
protection of its assets (e.g., the company
does not have clear segregation of duties
between its production and development
environments), while financial risks
encompass events that will have a
financial impact on the organization (e.g.,
investing the company’s cash reserves in
a highly speculative investment scheme).
External risks are those events that
impact the organization but occur outside
of its control (e.g., natural disasters such
as earthquakes and floods). Finally, a
compliance risk occurs when a company
does not comply with mandated federal
regulations, which often results in fines or
legal sanctions.
b) Determining the Risk Likelihood
Level
Once risks are identified, the next step
is to determine the likelihood that the
potential vulnerability can be exploited.
Several factors need to be considered
when determining this likelihood. First,
the auditor needs to consider the source
of the threat, the motivation behind
the threat, and the capability of the
source. Next, auditors need to determine
the nature of the vulnerability and,
finally, the existence and effectiveness
of current controls to deter or mitigate
the vulnerability. The likelihood that a
potential vulnerability could be exploited
can be described as high, medium, or low.
c) Identifying the Risk’s Impact
The next step is to determine the impact
The threat’s source is highly motivated and
sufficiently capable, and controls that prevent the
vulnerability from being exercised are ineffective.
The threat’s source is motivated and capable, but
controls are in place that may impede a successful
exercise of the vulnerability.
The threat’s source lacks motivation or capability,
and controls are in place to prevent or significantly
impede the vulnerability from being exercised.
MAY - JUNE 2017 19