The Accountant-May-June 2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
MANAGEMENT<br />
Gor Mahia fans engaging AFC Leapards fans in a fight during the Kenya Power Charity Cup at Nyayo National Stadium<br />
that the threat could have on the<br />
organization. It is important for auditors<br />
to understand that not all threats will<br />
have the same impact. This is because<br />
each system in the organization most<br />
likely will have a different value (i.e.,<br />
not all systems in the organization are<br />
worth the same or regarded in the same<br />
way). For instance, to evaluate the value<br />
of a system, auditors should identify the<br />
processes performed by the system, the<br />
system’s importance to the company,<br />
and the value or sensitivity of the data<br />
in the system. A system that handles the<br />
Impact<br />
High<br />
Medium<br />
Low<br />
Definition<br />
In addition, auditors need to measure the<br />
risk’s actual impact on the organization.<br />
This can be done by measuring the risk’s<br />
impact in a quantitative (e.g., revenue loss<br />
or the cost to replace IT equipment) or<br />
qualitative manner (e.g., the loss of public<br />
confidence when a security breach is<br />
announced in the media).<br />
Once a risk’s impact is measured,<br />
company’s payroll will have more value<br />
than the system that is used to keep the<br />
lunchroom menu database.<br />
<strong>The</strong> impact of a security event<br />
can be defined as a breach or loss of<br />
confidentiality, integrity, or availability,<br />
which may result in an unauthorized<br />
disclosure of company information (i.e.,<br />
loss of confidentiality), the improper<br />
modification of the information (i.e., loss<br />
of integrity), and a system’s unavailability<br />
when needed (i.e., loss of availability).<br />
<strong>The</strong> magnitude of impact also can be<br />
categorized as high, medium, or low.<br />
High impact risks may result in the high costly loss<br />
of assets; risks that significantly violate, harm, or<br />
impede operations; or risks that cause human death<br />
or serious injury.<br />
Medium impact risks may result in the costly<br />
loss of assets; risks that violate, harm, or impede<br />
operations; or risks that cause human injury.<br />
Low impact risks may result in the loss of some<br />
assets or may noticeably affect operations.<br />
the auditor can identify its probability<br />
of occurring and complete an impact<br />
assessment for each risk.<br />
When addressing risks, many<br />
organizations usually start by correcting<br />
those risks with a lower impact to the<br />
organization and a lower probability<br />
because these are easier to fix — and fixing<br />
a greater number of open issues in a short<br />
amount of time looks better on paper.<br />
However, auditors should recommend<br />
that organizations start by addressing<br />
those risks that will have the highest<br />
likelihood of occurring and will have the<br />
highest impact. This is because by focusing<br />
on the low-impact risks first, the company<br />
still remains vulnerable to the high impact<br />
risks that can cause irreparable damage.<br />
Conclusion<br />
Many organizations are implementing<br />
risk management programs that can help<br />
them address company-wide risks and<br />
potential threats. In the area of IT, an<br />
effective risk management program relies<br />
on the auditor’s expertise, thus enabling<br />
the organization to apply the necessary<br />
risk management controls to a specific<br />
area or IT system.<br />
To maximize its effectiveness,<br />
auditors should recommend that the<br />
risk management initiative receives the<br />
support and commitment from senior<br />
management. This will help to set the<br />
proper tone at the top for the program,<br />
as well as ensure that controls are<br />
managed properly and implemented risk<br />
management policies and procedures are<br />
adhered to by company staff. In addition,<br />
the proper tone at the top will help to<br />
establish the organization’s attitude<br />
toward risk and the kinds of risks that are<br />
acceptable. Finally, the audit team needs to<br />
have the proper training or expertise in the<br />
area of risk management to better identify<br />
and rate risk levels as well as evaluate<br />
controls to determine if they meet the<br />
organization’s risk management needs.<br />
20 MAY - JUNE <strong>2017</strong>