Information Technology Reference
In-Depth Information
6. to find out how identified risks are being mitigated and how residual risk is
being treated by management
7. to investigate how risks and impact are being analysed in order to determine
appropriate risk treatment
8. to determine how operational staff comply with various risk and operational
procedures in order to ensure that risk is properly managed.
IT Risk Governance
The board and senior management should set the tone as to how risk will be managed in
the enterprise and indicate what their risk appetite is in terms of what risks they can treat or
accept as untreatable risk. The IS auditors will focus on a number of issues as they conduct
an audit of IT risks which we will cover later in the chapter.
IT risk governance focuses on how the board and senior management handle IT risks in the
enterprise. The IS auditor should first find out if the board does understand the risks the
enterprise is facing. This can be done by interviewing board members and also reviewing
records of board meetings. It is possible that views from the board members may differ
for various reasons. But it is generally expected that the board and management will speak
with one voice.
The board will set guidance through setting risk strategies, and management will operation-
alise the framework through implementation of policies and procedures. In order to ensure
that risk strategies are being implemented as desired by the board, feedback should be giv-
en to the board through formal reports or briefings during board meetings. Senior manage-
ment also should receive feedback from middle management on IT risk compliance.
It is the responsibility of both the board and management to monitor how IT risk manage-
ment is being implemented in the enterprise. One way in which management would en-
sure that IT risk compliance is observed is by ensuring compliance with IT risk procedures.
Management can put in place various mechanisms to ensure compliance.
In order to have effective monitoring of risks in the enterprise, management should ensure
that regular IT risk audits are performed and reported to the board and senior management.
It is recommended that independent IS auditors are used in addition to internal IS auditors.
Independent IS auditors may discover issues which are not regularly reported by internal
auditors or the risk management team when performing self-assessments.
Risk Management Committee
The board or senior management are normally busy people and do delegate the risk man-
agement responsibilities to a team of risk specialists and senior line managers or directors
to handle the day-to-day management of risks. In some enterprises, the responsibility can
Search WWH ::
Custom Search