Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
PREPARED BY:
DATE:
INSTRUCTIONS: 1. Enter Year, Prepared By, and Date in appropriate Cells.
2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11.
3. Alter the weights in Cells C15..L15 to suit your risk model.
The weights should sum to 1.00 (shown in Cell M15).
4. Enter the auditable units of the audit universe in column B.
The associated Audit Numbers may be assigned and entered in column A.
5. Evaluate each auditable unit (audit) by assigning a score (1= low, 3= high) for each
risk factor used in the model. The total risk score will be shown in column M.
6. The spreadsheet data may be sorted (recommended) to prioritze the auditable units.
AUDIT #
FACTORS
WEIGHTS
AUDIT UNIVERSE
F1
0.1
F2
0.1
F3
0.1
F4
0.1
F5
0.1
F6
0.1
F7
0.1
YEAR:
RISK FACTORS
F1
F2
F3
F4
F5
F6
F7
F8
F9
F10
Wksht7b.xls
F9
0.1
F10
0.1
TOTAL
1.00
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
UNAUTHORIZED
EMPLOYEE
AUDIT:
SOFTWARE
DATA BACK
HARDWARE
FAILURE
UP FAILURE
FAILURE
1
2
3
4
RANK
THREATS
RANK
COMPONENTS
POLICIES AND
PROCEDURE
HARDWARE
HIGHEST RISK =
SOFTWARE
PHYSICAL
PROTECTION
LOGICAL
PROTECTION
PEOPLE
POWER
x
x
INSTRUCTIONS:
#
T1
T2
T3
T4
T5
T6
T7
T8
T9
T10
T11
T12
THREAT
AUDIT:
DATA
CORRUPTI
FIRE
INTRUDERS
ON
HACKERS
5
6
7
8
NATURAL
DISASTER
POWER
OUTAGE
9
10
KEY
COMPONENT
FAILURE
11
Risks
Source / Cause
Effects
Integrity
Data corruption
Definition:
This risk encompasses all of the risks
associated with the authorization,
completeness, and accuracy of
transactions as they are entered into,
processed by, summarized by and
reported on by the various
application systems deployed by an
organization. These risks pervasively
apply to each and every aspect of an
application system used to support a
business process
Relevance
No effective communication
Access
Definition:
Access risk focuses on the risk
associated with inappropriate access
to systems, data or information. It
encompasses the risks of improper
segregation of duties, risks
associated with the integrity of data
and databases, and risks associated
with information confidentiality.
Inappropriate access to
processing environment and
the programs or data that are
stored in that environment.
Inappropriate access to the
network itself.
Unprotected physical devices
from damage, theft and
inappropriate access.
Availability
Infrastructure
Definition:
the organization does not have an
effective information technology
infrastructure (hardware, networks,
software, people and processes) to
effectively support the current and
future needs of the business in an
efficient, cost-effective and wellcontrolled fashion. These risks are
associated with the series of
Information Technology (I/T)
processes used to define, develop,
maintain and operate an information
processing environment (e.g.,
computer hardware, networks, etc.)
and the associated application
systems (e.g., customer service,
accounts payable, etc.).
Disorganized and
disfunctional IT decisions.
Lack of proactive security
policies and procedures or
inconsistent one among IS
and divisions.
Domain
Policies
User Interface
Processing
Interface
Data
Data, Applications,
Report
Processing
Environment
Network
Physical
IS department
mission and
organization
Logical security
and security
administration
Computer and
network
operations
Business data
center recovery
COMPONENTS
AVAILABILITY
RISK
RELEVANCE RISK
ACCESS RISK
INFRASTRUCTURE RISKS
the organization does not have an
effective information technology
infrastructure (hardware, networks,
software, people and processes) to
effectively support the current and
future needs of the business in an
efficient, cost-effective and wellcontrolled fashion. These risks are
associated with the series of
Information Technology (I/T)
processes used to define, develop,
maintain and operate an
information processing
environment (e.g., computer
hardware, networks, etc.) and the
associated application systems
(e.g., customer service, accounts
payable, etc.).
Rank
APPLICATION
SYST
APPLICATION
NETWORK
Total Integrity
Risk
User Interface
COMPONENTS
whether there are adequate
restrictions over which individuals in
an organization are authorized to
perform business/system functions
based on their job need and the need
to enforce a reasonable segregation
of duties. Other risks in this area
relate to the adequacy of preventive
and/or detective controls that ensure
that only valid data can be entered
into a system and that the data is
complete.
Rank
0
Processing
Error Processing
Interface
Change
Management
These risks are
associated with
inadequate change
management
processes include
user involvement
and training as well
as the process by
which changes to
any aspect of an
application system
is both
communicated and
implemented.
Data
These risks are associated with
inadequate data management
controls including both the
security/integrity of processed data
and the effective management of
databases and data structures.
Integrity can be lost because of
programming errors (e.g., good data
is processed by incorrect programs),
processing errors (e.g., transactions
are incorrectly processed more than
once against the same master file),
or management/process errors (e.g.,
poor management of the systems
maintenance process).
Rank
Total
Access
THREATS Risk
The
Business
organizational
Process
decisions as to
how to
separate
incompatible
duties within
an
organization
and to provide
the correct
level of
empowerment
to perform a
function.
COMPONENTS Rank
Rank
0
Application
Processing
Environment
where application
systems and related
data are stored and
The
processed from. The
The internal
mechanism to access risk in this area
application security provide users
is driven by the risk of
mechanisms that
with access to inappropriate access to
provide users with
specific data or processing environment
the specific functions databases
and the programs or
necessary for them within the
data that are stored in
to perform their jobs. environment
that environment.
Network
Physical
environment.
The access
risk in this
area is driven
by the risk of
inappropriate
access to the
network itself.
Protecting
physical
devices from
damage, theft
and
inappropriate
access.
Risks associated
with short term
disruptions to
system
COMPON Rank
ENTS
Rank
and proactively
addressing systems
issues before a
problem occurs
where
restore/recovery
techniques can be
used to minimize
the extent of a
disruption
Risk associated
with disasters
THREATS Total
Organization
Infrastruct Planning
ure Risk
Application system
definition and
deployment
Logical security
and security
administration
The processes in
this area ensure
that the
organization
adequately
addresses the
Access risks by
establishing,
maintaining and
monitoring a
comprehensive
system of
internal security
that meets
managements
policies with
respect to the
integrity and
confidentiality of
the data and
information
within the
organization and
an organizations
need to reduce it
Empowerment
and Fraud risks
to acceptable
levels.
COMPON Rank
ENTS
that the definition
of how I/T will
impact the
business are
clearly defined and
articulated. It is
important to have
adequate executive
level support and
buy-in to this
direction and an
adequate
organizational
(people and
process) planning
to ensure that I/T
efforts will be
successful.
Computer and
Data &
Business data center
network operation database recovery
manage
ment