Information Technology Reference
In-Depth Information
not have a risk policy and if there are any informal risk processes which are not documen-
ted. Informal risk processes would be a good starting point for management to consider in
developing a risk policy. Information on informal risk processes can be collected by inter-
viewing the board, management, and the other stakeholders.
b) What does the risk management policy include?
The risk policy should cover the enterprise end to end. The policy would address areas such
as financial risk, operational risk, IT risk, business risk, unknown risk, and other risk areas.
The other way would be to look at all the functions or departments in the organisation and
try to assess what the risk policy should include.
The IS auditor would be required to review the policy in order to determine what is in-
cluded in the policy. The use of a particular international risk management standard would
be helpful in assessing what is or not included in the policy. Discussions with the risk com-
mittee or manager would help to gather more information on the policy and also help veri-
fy what is in the policy and what has actually been implemented. More important is that
the IS auditor would need to collect evidence which will help in concluding that the policy
includes all important aspects of the enterprise. This evidence can be found in operational
procedures of various departments and how they handle risk procedures.
c) What standard has been used to develop and implement the risk policy?
The enterprise might implement a risk framework based on an international standard such
as ISO 31000 or any other standards published by professional organisations. Enterprises
can also develop internal standards which can be used to implement a risk framework. In
order to ensure that the policy is based on best practice, the IS auditor should review the
risk policy and determine the standard used to develop the policy.
The IS auditor should collect a copy of the standard used and the risk policy for further
analysis. It is also possible that the enterprise could have used more than one standard to
develop the risk policy. Enterprises are not restricted to using only one standard and can
also include their own internally developed standards.
It is important that the IS auditor carries out some background research on the standards
used. It is not unusual to find important updates which could have been released but not
included in the risk policy for some reason.
d) What is the IT risk appetite of the enterprise?
The enterprise might decide to mitigate all the IT risks which have been identified by the
risk team. In real life, it might not be possible to treat all risks. Management might also
decide to accept some IT risks and hope nothing happens. These often are IT risks which
have lower impact or financial cost is so high that management might decide to meet the
Search WWH ::
Custom Search