RISK FACTORS RISK MEASUREMENT PROCESS (Worksheet 7b)

PREPARED BY:
DATE:
INSTRUCTIONS: 1. Enter Year, Prepared By, and Date in appropriate Cells.
2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11.
3. Alter the weights in Cells C15..L15 to suit your risk model.
The weights should sum to 1.00 (shown in Cell M15).
4. Enter the auditable units of the audit universe in column B.
The associated Audit Numbers may be assigned and entered in column A.
5. Evaluate each auditable unit (audit) by assigning a score (1= low, 3= high) for each
risk factor used in the model. The total risk score will be shown in column M.
6. The spreadsheet data may be sorted (recommended) to prioritze the auditable units.

FACTORS F1 F2 F3 F4 F5 F6 F7
WEIGHTS 0.1 0.1 0.1 0.1 0.1 0.1 0.1
AUDIT # AUDIT UNIVERSE
1 1 1 1 1 1 1
 YEAR: RISK FACTORS
F1 ujj
Wksht7b.xls F2 jj
F3 jj
F4 jj
F5 jj
F6 jj
F7 jj
F8 jj
w, 3= high) for each F9 jj
in column M. F10 jj
e the auditable units.

F8 F9 F10 TOTAL
0.1 0.1 0.1 1.00

1 1 1 1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
SORTED RISK ASSESMENT MATRIX Worksheet
AUDITOR: AUDIT: DATA CENTER RISK IDENTIFICATIO
DATE:

UNAUTHORIZED SOFTWARE DATA BACK HARDWARE

THREATS EMPLOYEE FAILURE UP FAILURE FAILURE
RANK 1 2 3 4
RANK COMPONENTS

POLICIES AND
1 PROCEDURE 1 1 1 1

2 HARDWARE HIGHEST RISK = 3

3 SOFTWARE In the left-most quadrant

PHYSICAL
4 PROTECTION

LOGICAL
5 PROTECTION

6 PEOPLE

7 POWER

x
x
INSTRUCTIONS: 1. Enter Auditor, Date, Audit in the spaces provided.
2. Enter Components (up to a maximum of 12) in Cells B8..B20.
3. Assign Threats (up to a maximum of 12) to the Threat Axis (T1..T12 in Cells C5..N5).
# THREAT Threats can be documented by listing them in Cells B27..B38.
T1 4. Rank the Threats by choosing the most significant (assigning it the highest number)
T2 and the least significant (assigning it "1"), and so for with next-most and next-least.
T3 If there are 9 Threats, the highest value = 9, etc.
T4 Place the rankings in the RANK row Cells C6..N6.
T5 5. Use the "Data Sort" command to rearrange Cells C5..N6 (2 rows),
T6 using Cell C6 as the Primary Key and Sort Order Descending.
T7 6. Similarly, rank the Components using Cells A8..A20, with the most important component
T8 receiving the highest value (if 10 Components, the highest = 10, etc.).
T9 7. Use the "Data Sort" command to rearrange Cells A8..B20 (2 columns),
T10 using Cell A8 as the Primary Key and Sort Order Descending.
T11 8. The matrix should now be sorted to reflect the highest risks in the upper left corner
T12 and the lowest risks in the lower right corner (depending on matrix size).
The matrix will register the number of cells to be marked HIGH RISK (Cell H10).
 AUDIT:
TA CENTER RISK IDENTIFICATION

DATA KEY
CORRUPTI NATURAL POWER COMPONENT
FIRE INTRUDERS ON HACKERS DISASTER OUTAGE FAILURE
5 6 7 8 9 10 11

1 1 1 1 1 1 1

xis (T1..T12 in Cells C5..N5).

gning it the highest number)

h next-most and next-least.

h the most important component

st = 10, etc.).
20 (2 columns),

sks in the upper left corner

on matrix size).
HIGH RISK (Cell H10).
wksht3c.xls
Risks Source / Cause Effects

Integrity Data corruption, Errors, Data corruption

Omissions
Definition:
This risk encompasses all of the risks Integrity can be lost from:
associated with the authorization, programming errors,
completeness, and accuracy of processing
transactions as they are entered into,
processed by, summarized by and (maintenance)
reported on by the various errors,
application systems deployed by an management
organization. These risks pervasively errors
apply to each and every aspect of an
application system used to support a
business process

Relevance No effective communication Not getting "the right

data/information to the right:
=>person
=>process/system at the right
time to allow the right action
to be taken
Definition: the usability and
timeliness of information that is either
created or summarized by an
application system.is the risk
associated with not getting "the right
data/information to the right
person/process/system at the right
time to allow the right action to be
taken."

Access Inappropriate security access Confidentiality violation, data

set-up lost or data corruption eiher
by virus infection, worm,
trojan attack programs etc
Definition:
Access risk focuses on the risk Integrity can be lost from:
associated with inappropriate access programming errors,
to systems, data or information. It processing
encompasses the risks of improper
segregation of duties, risks (maintenance)
associated with the integrity of data errors,
and databases, and risks associated management
with information confidentiality. errors

Inappropriate access to
processing environment and
the programs or data that are
stored in that environment.

Inappropriate access to the

network itself.

Unprotected physical devices

from damage, theft and
inappropriate access.

Availability => Natural disasters (Fire, Short term / Long term

Flood etc) causing hardware business disruptions to
and software failure. system
=> Power outage
=> Theft
 Lack or weak monitoring
performance

Infrastructure Lack or weak organization Disorganized and

planning disfunctional IT decisions.
Lack of proactive security
policies and procedures or
inconsistent one among IS
and divisions.

Definition:
the organization does not have an
effective information technology
infrastructure (hardware, networks,
software, people and processes) to
effectively support the current and
future needs of the business in an
efficient, cost-effective and well-
controlled fashion. These risks are
associated with the series of
Information Technology (I/T)
processes used to define, develop,
maintain and operate an information
processing environment (e.g.,
computer hardware, networks, etc.)
and the associated application
systems (e.g., customer service,
accounts payable, etc.).
Domain Policies

User Interface Proper segregation of duties

The adequacy of preventive and/or detective

controls that ensure that only valid data can
be entered into a system and that the data is
complete

Processing Balancing and reconciliation controls to

ensure that data processing has been
complete and timely

Interface To ensure that data that has been processed

and/or summarized is adequately and
completely transmitted to and processed by
another application system that it feeds
data/information to.

Data Adequate data management controls

including both the security/integrity of
processed data and the effective
management of databases and data
structures.

Data, Applications,
Report
Business Process How to separate incompatible duties within
an organization and how to provide the
correct level of empowerment to perform a
function.

Application Define the internal application security

mechanisms that provide users with the
specific functions necessary for them to
perform their jobs.

Data & Data Policies on securityrelated to users access to

Management specific data or databases within the
environment.

Processing Secure the host computer system where

Environment application systems and related data are
stored and processed from.

Network Secure the mechanism used to connect

users with a processing environment.

Physical Policies and procedures related to Physical

security of phsical IS devices.

Critical IS system, Risks that can be avoided by monitoring

applications and performance proactively by addressing
data. systems issues before a problem occurs
 Backups and contingency planning policies
and procedures where restore/recovery
techniques can be used to minimize the
extent of a disruption.

IS department Define how I/T will impact the business and

mission and how I/T is articulated. It is important to have
organization adequate executive level support and buy-in
to this direction and an adequate
organizational (people and process) planning
to ensure that I/T efforts will be successful.

Application system Ensure that application systems meet both

definition and business and user needs. These processes
deployment encompass the process of determining
whether to buy an existing application
system or to develop a custom solution.
These processes also ensure that any
changes to application systems (whether
they are purchased or developed) follow a
defined process that ensures that critical
process/control points are consistently
adhered to (e.g., all changes are tested and
approved by users prior to implementation).

Logical security Ensure that the organization adequately

and security addresses the "Access risks" by
administration establishing, maintaining and monitoring a
comprehensive system of internal security
that meets managements policies with
respect to the integrity and confidentiality of
the data and information within the
organization and an organizations need to
reduce it Empowerment and Fraud risks to
acceptable levels.
Computer and Ensure that information systems and related
network network environments are operated in a
operations secured and protected environment as
intended by management and that
information processing responsibilities
performed by operations personnel (as
opposed to users) are defined, measured
and monitored. They also involve the
proactive efforts typically performed by I/T
personnel to measure and monitor computer
and network performance to ensure that
systems are consistently available to users at
a satisfactory performance level.

Business data Policies designed to address the "Availability

center recovery risks" by ensuring that adequate planning
has been performed to ensure that
information technologies will be available to
users when they need them.
 AVAILABILITY
THREATS INTEGRITY RISK RELEVANCE RISK ACCESS RISK RISK INFRASTRUCTURE RISKS
COMPONENTS Rank
This risk encompasses all the usability and timeliness of Access risk focuses on the organization does not have an
of the risks associated information that is either the risk associated with effective information technology
with the authorization, created or summarized by an inappropriate access to infrastructure (hardware, networks,
completeness, and application system.is the risk systems, data or software, people and processes) to
accuracy of transactions associated with not getting "the information. It effectively support the current and
as they are entered into, right data/information to the encompasses the risks future needs of the business in an
processed by, right person/process/system at of improper segregation efficient, cost-effective and well-
summarized by and the right time to allow the right of duties, risks controlled fashion. These risks are
reported on by the action to be taken." associated with the associated with the series of
various application integrity of data and Information Technology (I/T)
systems deployed by an databases, and risks processes used to define, develop,
organization. These risks associated with maintain and operate an
pervasively apply to each information information processing
and every aspect of an confidentiality. environment (e.g., computer
application system used hardware, networks, etc.) and the
to support a business associated application systems
process (e.g., customer service, accounts
payable, etc.).

Rank
APPLICATION
SYST 0 0 0 0 0

APPLICATION

NETWORK
 Total Integrity Change
Risk User Interface Processing Error Processing Interface Management
COMPONENTS
whether there are adequate whether there are adequate whether there are whether there are These risks are
restrictions over which individuals in preventive or detective adequate processes adequate preventive or associated with
an organization are authorized to balancing and reconciliation and other system detective controls to inadequate change
perform business/system functions controls to ensure that data methods to ensure that ensure that data that has management
based on their job need and the need processing has been any data been processed and/or processes include
to enforce a reasonable segregation complete and timely. This risk entry/processing summarized is user involvement
of duties. Other risks in this area area also encompasses risks exceptions that are adequately and and training as well
relate to the adequacy of preventive associated with the accuracy captured are completely transmitted to as the process by
and/or detective controls that ensure and integrity of reports adequately corrected and processed by which changes to
that only valid data can be entered (whether or not they are and reprocessed another application any aspect of an
into a system and that the data is printed) used to summarize accurately, completely system that it feeds application system
complete. results and/or make business and on a timely basis data/information to. is both
decisions. communicated and
implemented.

Rank
0
Data

These risks are associated with

inadequate data management
controls including both the
security/integrity of processed data
and the effective management of
databases and data structures.
Integrity can be lost because of
programming errors (e.g., good data
is processed by incorrect programs),
processing errors (e.g., transactions
are incorrectly processed more than
once against the same master file),
or management/process errors (e.g.,
poor management of the systems
maintenance process).
 THREATS Total Relevance Risk
the usability and timeliness of information
that is either created or summarized by
an application system.is the risk
associated with not getting "the right
data/information to the right
person/process/system at the right time to
allow the right action to be taken."
COMPONENTS Rank
Rank
 Total
Access The
Business Data & Data Processing
THREATS Risk organizational
Process Application Management Environment Network Physical
decisions as
to how to
separate where application
incompatible systems and related
duties within data are stored and
an The processed from. The environment.
organization The internal mechanism to access risk in this area The access Protecting
and to provide application security provide users is driven by the risk of risk in this physical
the correct mechanisms that with access to inappropriate access to area is driven devices from
level of provide users with specific data or processing environment by the risk of damage, theft
empowerment the specific functions databases and the programs or inappropriate and
to perform a necessary for them within the data that are stored in access to the inappropriate
COMPONENTS Rank function. to perform their jobs. environment that environment. network itself. access.
Rank
0
 THREAT Total Availability Risk Risks that can be Risks associated
S avoided by with short term
monitoring disruptions to
performance system
COMPON Rank
ENTS
Rank and proactively where
addressing systems restore/recovery
issues before a techniques can be
problem occurs used to minimize
the extent of a
disruption

0
Risk associated
with disasters

those cause longer-

term disruptions in
information
processing and which
focus on controls
such as backups and
contingency planning
 THREAT Total Organization Application system Logical security
S Infrastruct Planning definition and and security
ure Risk deployment administration

COMPON Rank
ENTS
that the definition of in this area ensure that The processes in
how I/T will impact application systems this area ensure
the business are meet both business that the
clearly defined and and user needs. These organization
articulated. It is processes encompass adequately
important to have the process of addresses the
adequate executive determining whether to Access risks by
level support and buy an existing establishing,
buy-in to this application system or maintaining and
direction and an to develop a custom monitoring a
adequate solution. These comprehensive
organizational processes also ensure system of
(people and that any changes to internal security
process) planning application systems that meets
to ensure that I/T (whether they are managements
efforts will be purchased or policies with
successful. developed) follow a respect to the
defined process that integrity and
ensures that critical confidentiality of
process/control points the data and
are consistently information
adhered to (e.g., all within the
changes are tested and organization and
approved by users an organizations
prior to need to reduce it
implementation). Empowerment
and Fraud risks
to acceptable
levels.

0
Computer and Data & Business data center
network operation database recovery
manage
ment

this area ensure The processes in this

that information area are designed to
systems and related address the Availability
network risks by ensuring that
environments are adequate planning has
operated in a been performed to
secured and ensure that information
protected technologies will be
environment as available to users when
intended by they need them.
management and
that information
processing
responsibilities
performed by
operations
personnel (as
opposed to users)
are defined,
measured and
monitored. They
also involve the
proactive efforts
typically performed
by I/T personnel to
measure and
monitor computer
and network
performance to
ensure that systems
are consistently
available to users at
a satisfactory
performance level.