The Accountant-May-June 2017

MANAGEMENT
Gor Mahia fans engaging AFC Leapards fans in a fight during the Kenya Power Charity Cup at Nyayo National Stadium
that the threat could have on the
organization. It is important for auditors
to understand that not all threats will
have the same impact. This is because
each system in the organization most
likely will have a different value (i.e.,
not all systems in the organization are
worth the same or regarded in the same
way). For instance, to evaluate the value
of a system, auditors should identify the
processes performed by the system, the
system’s importance to the company,
and the value or sensitivity of the data
in the system. A system that handles the
Impact
High
Medium
Low
Definition
In addition, auditors need to measure the
risk’s actual impact on the organization.
This can be done by measuring the risk’s
impact in a quantitative (e.g., revenue loss
or the cost to replace IT equipment) or
qualitative manner (e.g., the loss of public
confidence when a security breach is
announced in the media).
Once a risk’s impact is measured,
company’s payroll will have more value
than the system that is used to keep the
lunchroom menu database.
The impact of a security event
can be defined as a breach or loss of
confidentiality, integrity, or availability,
which may result in an unauthorized
disclosure of company information (i.e.,
loss of confidentiality), the improper
modification of the information (i.e., loss
of integrity), and a system’s unavailability
when needed (i.e., loss of availability).
The magnitude of impact also can be
categorized as high, medium, or low.
High impact risks may result in the high costly loss
of assets; risks that significantly violate, harm, or
impede operations; or risks that cause human death
or serious injury.
Medium impact risks may result in the costly
loss of assets; risks that violate, harm, or impede
operations; or risks that cause human injury.
Low impact risks may result in the loss of some
assets or may noticeably affect operations.
the auditor can identify its probability
of occurring and complete an impact
assessment for each risk.
When addressing risks, many
organizations usually start by correcting
those risks with a lower impact to the
organization and a lower probability
because these are easier to fix — and fixing
a greater number of open issues in a short
amount of time looks better on paper.
However, auditors should recommend
that organizations start by addressing
those risks that will have the highest
likelihood of occurring and will have the
highest impact. This is because by focusing
on the low-impact risks first, the company
still remains vulnerable to the high impact
risks that can cause irreparable damage.
Conclusion
Many organizations are implementing
risk management programs that can help
them address company-wide risks and
potential threats. In the area of IT, an
effective risk management program relies
on the auditor’s expertise, thus enabling
the organization to apply the necessary
risk management controls to a specific
area or IT system.
To maximize its effectiveness,
auditors should recommend that the
risk management initiative receives the
support and commitment from senior
management. This will help to set the
proper tone at the top for the program,
as well as ensure that controls are
managed properly and implemented risk
management policies and procedures are
adhered to by company staff. In addition,
the proper tone at the top will help to
establish the organization’s attitude
toward risk and the kinds of risks that are
acceptable. Finally, the audit team needs to
have the proper training or expertise in the
area of risk management to better identify
and rate risk levels as well as evaluate
controls to determine if they meet the
organization’s risk management needs.
20 MAY - JUNE 2017