Information Technology Reference
In-Depth Information
information on what clients think of the enterprise and what the enterprise is doing and not
doing.
The risk management committee will also be responsible for performing risk assessments.
They are required to perform risk assessments at required times and when new IT projects
are initiated or major changes are being made to existing systems. We will discuss auditing
IT risk assessments in more detail later in the chapter.
Change management controls are usually implemented when changes are being made to
systems. The objective being that changes should be properly managed to enable rollback
in the event that implementation goes wrong. The IS auditor would test if change manage-
ment is being implemented by checking documentation on change controls, such as testing
and approval of changes before they are deployed into production.
Implementing new projects or major changes or upgrades to existing systems mean that
new risks might be introduced in the enterprise. A typical example would be that a new
system which has been implemented may not have a system of alerting customers to pay
their subscriptions. If the enterprise goes ahead to implement such a system, it might lose
out on revenue as some clients may not pay in time or wait until their subscriptions expire.
We will also discuss auditing IT projects in more detail later in the chapter.
Risk Management Frameworks
As we try to build up our understanding of auditing IT risk management, let us refer to
common risk management standards which are used in enterprises to implement risk man-
agement. There are many standards which are used to implement risk management. In some
enterprises, they implement their own internally developed standards, which are usually a
mix of various international standards. A typical example is project risk. This standard can
be found in different versions and being promoted by international organisations such as
Project Management Institute through the PBOK framework, International Standards Or-
ganisation through ISO 31000, or Prince2 Foundation through Prince2.
The
ISO 31000
is one of the risk management standards which have been used to imple-
ment risk management in many enterprises. The standard is general purpose and can be
used by any organisation and in any sector. The standard provides a process for managing
risks and helps in the improvement of identifying risks, threats, and how to treat risk.
ISO/IEC 27005
is an information security standard which is deliberately risk-aligned in or-
der to address many security risks. The standard provides guidelines for information se-
curity risk management and is based on ISO/IEC 27001, which is an information security
management standard.
COBIT 5
for Risk has been developed to assist with the effective management of IT risk.
The standard focuses on linking information technology risks with business performance.
Search WWH ::
Custom Search