The Accountant-May-June 2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
MANAGEMENT<br />
risk, and personnel risk. To address risks<br />
more effectively, organizations may use a<br />
risk management approach that identifies,<br />
assesses, manages, and controls potential<br />
events or situations.<br />
Among other things, the goal of<br />
effective risk management is to ensure<br />
that each risk is identified, documented,<br />
prioritized, and mitigated whenever<br />
possible. Because all organizations face<br />
risk, whether positive (i.e., opportunities)<br />
or negative (i.e., events that hinder<br />
company processes), the challenge<br />
for auditors is to know when risk will<br />
occur and the impact it will have on the<br />
organization.<br />
In addition, auditors need to consider<br />
the probability that the risk will occur.<br />
For example, it may not be necessary<br />
for the organization to worry about a<br />
particular IT risk when the likelihood<br />
that it will occur is significantly low<br />
and its impact is low as well. However,<br />
organizations should concentrate on lowprobability<br />
risks that will have a highnegative<br />
impact. As a result, looking at<br />
the impact and probability of each risk is<br />
important when establishing an effective<br />
risk management program that addresses<br />
company-wide risk.<br />
<strong>The</strong> Risk Management<br />
Process<br />
When establishing a risk management<br />
process or initiative, auditors should<br />
recommend that organizations examine<br />
best management practices in the area.<br />
Typically, risk management plans have<br />
the following objectives:<br />
1. To eliminate negative risks.<br />
2. To reduce risks to an “acceptable” level<br />
if risks cannot be eliminated. This means<br />
a risk level the organization can live with,<br />
making sure that proper controls are in<br />
place to keep risks within an acceptable<br />
range.<br />
3. To transfer risks by means of insurance<br />
(i.e., insuring company assets for theft<br />
or destruction, such as hurricane or fire<br />
damage) or to transfer the risk to another<br />
organization (i.e., using a third-party<br />
vendor to install network equipment so<br />
that the vendor is made responsible for<br />
the installation’s success or failure).<br />
Risk management consists of risk<br />
assessments, risk mitigation, and ongoing<br />
risk evaluations and assessments. <strong>The</strong><br />
risk assessment stage is where the<br />
auditor identifies and evaluates each<br />
risk, the impact these risks have on the<br />
organization, and any risk-reducing<br />
recommendations. <strong>The</strong> end result of the<br />
risk assessment is to determine the extent<br />
of the potential threat and its associated<br />
risk, which is defined as the likelihood<br />
that a given threat can exploit or take<br />
advantage of a particular vulnerability. For<br />
example, if an auditor is evaluating an IT<br />
system, the threats to the system should<br />
be analyzed in conjunction with potential<br />
vulnerabilities and any implemented<br />
controls.<br />
<strong>The</strong> risk mitigation stage involves<br />
prioritizing, implementing, and<br />
maintaining appropriate risk-reduction<br />
measures that are recommended in the<br />
risk assessment process, while the ongoing<br />
risk evaluation and assessment stage<br />
asks that the organization continuously<br />
evaluate their risk management activities<br />
in reducing risks.<br />
a) Identifying Risks<br />
<strong>The</strong> risk assessment process begins with<br />
the identification of risk categories. An<br />
organization most likely will have several<br />
risk categories to analyze and identify<br />
risks that are specific to the organization.<br />
Examples of risk categories include:<br />
• Technical or IT risks.<br />
• Project management risks.<br />
• Organizational risks.<br />
• Financial risks.<br />
• External risks.<br />
• Compliance risks.<br />
For instance, technical risks are associated<br />
with the operation of applications<br />
or programs including computers<br />
or perimeter security devices (e.g., a<br />
computer that connects directly to the<br />
Internet could be at risk if it does not<br />
have antivirus software). An example of<br />
a project management risk could be the<br />
Likelihood Level<br />
High<br />
Medium<br />
Low<br />
Likelihood Definition<br />
inadequacy of the project manager to<br />
complete and deliver a project, causing the<br />
company to delay the release of a product<br />
to the marketplace. Organizational risks<br />
deal with how the company’s infrastructure<br />
relates to business operations and the<br />
protection of its assets (e.g., the company<br />
does not have clear segregation of duties<br />
between its production and development<br />
environments), while financial risks<br />
encompass events that will have a<br />
financial impact on the organization (e.g.,<br />
investing the company’s cash reserves in<br />
a highly speculative investment scheme).<br />
External risks are those events that<br />
impact the organization but occur outside<br />
of its control (e.g., natural disasters such<br />
as earthquakes and floods). Finally, a<br />
compliance risk occurs when a company<br />
does not comply with mandated federal<br />
regulations, which often results in fines or<br />
legal sanctions.<br />
b) Determining the Risk Likelihood<br />
Level<br />
Once risks are identified, the next step<br />
is to determine the likelihood that the<br />
potential vulnerability can be exploited.<br />
Several factors need to be considered<br />
when determining this likelihood. First,<br />
the auditor needs to consider the source<br />
of the threat, the motivation behind<br />
the threat, and the capability of the<br />
source. Next, auditors need to determine<br />
the nature of the vulnerability and,<br />
finally, the existence and effectiveness<br />
of current controls to deter or mitigate<br />
the vulnerability. <strong>The</strong> likelihood that a<br />
potential vulnerability could be exploited<br />
can be described as high, medium, or low.<br />
c) Identifying the Risk’s Impact<br />
<strong>The</strong> next step is to determine the impact<br />
<strong>The</strong> threat’s source is highly motivated and<br />
sufficiently capable, and controls that prevent the<br />
vulnerability from being exercised are ineffective.<br />
<strong>The</strong> threat’s source is motivated and capable, but<br />
controls are in place that may impede a successful<br />
exercise of the vulnerability.<br />
<strong>The</strong> threat’s source lacks motivation or capability,<br />
and controls are in place to prevent or significantly<br />
impede the vulnerability from being exercised.<br />
MAY - JUNE <strong>2017</strong> 19