Information Technology Reference
In-Depth Information
cost of replacement if a disaster occurs. Normally enterprises treat risks in many ways. In-
surance is one way of transferring risk.
Evidence on IT risk appetite can be obtained by interviewing the board or senior manage-
ment. They have overall responsibility of managing risks and are in the best position to
know the enterprise's IT risk appetite. Many enterprises with a formal risk function would
document the enterprise's risk appetite.
e) What are the key IT risks in the enterprise?
There are many IT risks which might impact the operations of an enterprise, and through an
effective IT risk assessment, the enterprise can find out what are the key IT risks. In most
enterprises, IT risks may be the same, and in some cases, a few other risks may be specific
to a particular enterprise depending on the nature of operations and IT systems in use. The
IS auditor may be required to review the enterprise's IT risk register in order to find out
what the enterprise has listed as possible risks.
Loss of data is a key risk since enterprises are highly dependent on IT and use information
systems as their lifeline. Loss of data can be through theft by internal or external persons.
Data can also be lost through damage to computer systems or malfunctioning systems.
There is also a risk of breaking the law, for example by not observing personal privacy
laws. Management should ensure that staff are aware of personal privacy laws and develop
internal policies and procedures which will ensure that these laws are observed.
Loss of information to competition is also a possible risk. Industrial espionage is common
and can lead to competitors knowing about a company strategy and use it to their advant-
age.
The IS auditor should consider drafting additional questions as follow-up questions using
the points listed above.
f) Does the enterprise have a risk management function?
An enterprise may have or may not have a risk management function. Depending on its size
and type of business they are involved in, an enterprise may choose to establish an internal
risk function or may opt to use external consultants.
Where a risk management department exists, the IS auditor may request for an outline of
the functions of the risk department. The IS auditor will need to understand the role and
function of the risk department especially regarding the development, management, and
monitoring of risk. The auditor may also request for an organisational structure of the de-
partment in order to obtain an appreciation of the functions and control structure of the de-
partment.
Search WWH ::
Custom Search