A risk assessment is an evaluation of an organization, a portion of an organization, and information system, or system components to assess the security risk. Information systems auditors should perform risk assessments as part of the risk analysis process to identify what parts or functions of the business propose the highest risk. A detailed risk assessment report should be provided periodically to management and the audit committee to justify the need for auditing, to verify business objectives, and to provide potential auditing needs.
There are a number of auditing methodologies used to assess risk within an organization. There are computerized and non-computerized assessment methods that are classified as high, medium, and low, as determined by the auditor. A more complex assessment technique uses a more scientific approach and applies a numeric risk rating to the assessment. A judgmental risk assessment is another option and is used by providing an independent decision based on the auditor’s substantial knowledge of the business as a whole and the goals and objectives. Residual risk is the risk that remains after the risk assessment and mitigation have been completed. Management must then decide whether the risk should be further mitigated or not.
Risk analysis is typically a process performed early in the auditing process to detect, analyze, and resolve potential risk issues within an organization. An information systems auditor typically focuses on the high-risk areas of an organization, such as regulatory requirements, and the privacy, confidentiality, integrity, and availability of assets. In addition, the mitigation techniques used to secure those assets are also analyzed. This information helps the auditor in developing audit objectives.
Determining potential risks is an ongoing process that requires continual risk assessment, risk mitigation, and defining and addressing potential risks. By implementing the process, the auditor can determine if the risk are being mitigated to a level acceptable to management.