Information Technology Reference
In-Depth Information
A risk assessment plan is an annual plan which would include a risk assessment schedule
outlining how often risk assessments should be conducted. One key requirement is the need
to have risk assessments conducted every time new projects are being implemented as pro-
jects do have an impact on the enterprise. Such risk assessments would provide vital in-
formation on how the projects would impact the enterprise as a whole and if new projects
introduced new risks in the enterprise.
Figure 6.4 shows four types of risk assessments. The first one is the annual risk assessment
which can be conducted at the beginning of the year. The other risk is the periodic risk as-
sessments which can be conducted every quarter and results compared with the annual risk
assessment. Every project in the enterprise should be subjected to a risk assessment. Project
risk assessments can be conducted at the beginning and at the end of the project. Project
assessments can also be conducted more regularly depending on project requirements.
Q1
Q2
Q3
Q4
Annual Risk Assessment
Y
Periodic Risk Assessment
Y
Y
Y
Y
Project 1
Y
Y
Project 2
Y
Y
Figure 6.4 Risk Assessment Plan
Auditing a risk management plan and its implementation is essential as it will enable the IS
auditor to assess how effective the plan is and how the enterprise is managing IT risk. The
IS auditor may also be required to review the results of the annual and periodic assessments
in addition to project-specific risk assessments.
Search WWH ::
Custom Search