There are many definitions of risk but the most comprehensive one that puts risk in a business context is given in the CISA Review Manual, 26th Edition and it is from International Standards Organization, as given in their Guidelines for the Management of IT Security:
Risk is a potential that a given threat will exploit vulnerabilities of an asset or a group of assets and and thereby cause harm to the organization.
Risk analysis is an extremely important part of the audit planning process. It is primarily done by the organization itself, but the IS auditor needs to study this document to gain an understanding about the controls that need to be in place to mitigate the risks identified in risk analysis.
But the auditor must not only evaluate that the risk analysis has been performed in a holistic manner but he should also perform his own risk analysis where he finds deficiencies.
All modern auditing techniques involve risk based audits because the resources are deficient with the auditors and they need to apply these resources to the ares of highest risk with highest materiality.
One thing that the auditor should be clear about is the risk within the audit process itself. This is called audit risk which means that the auditor may not be able to identify absence of a material control by applying the audit processes and tools he has at his disposal. As part of the audit planning, it is important that we try to minimize this risk area as well.
A thorough understanding of risks associated with the business can only be achieved if the auditor spends time in understanding the business of the entity, the critical process and architecture and how information technology enables these critical functions. It has been a general tendency in the management to brush aside the IT risk as something too technical and therefore it is kept outside the strategic risk assessment processes. His main focus should on be high risks that affect confidentiality, integrity and availability of the services.
The auditor needs to evaluate how IT risk assessment has been carried out and whether the controls to manage IT risks are in place and are working. Typically a risk analysis follows the following steps:
- All the business assets are inventoried
- Risks are identified against all the assets
- Risks are classified according to their criticality and impact. A business impact analysis may also be used
- Risks are evaluated to identify controls
- Risks are treated with new or improved controls, depending on the risk appetite of the organization. Some of the possible risk treatment methods are termination of the risk, minimize the chances of occurring, minimizing the impact when something happens and transferring the risk to a third party e.g insurance etc.
- Risk management is a continuous process so it needs to be reviewed regularly by the management, especially in the wake of introduction of new technologies.
The auditor needs to focus much of his efforts on high risk areas in a business and be ready to perform his own risk analysis and assessment in case it has not been done by the business itself or he founds it deficient. After this the job of the auditor is to evaluate the presence of controls and their effectiveness against these risks during the course of the IS audit.