2.3. RISK ASSESSMENT
Now that the computing systems in an organization have been identified, one has the necessary information to begin performing a risk assessment of the IS environment. Additional data regarding the dollar amounts, transaction volume, and other information should be obtained to enable ranking of the computing systems from most risky to least risky. It is a good idea to record all the computing system demographic information in a spreadsheet, database, or other audit planning application. The computing systems can then be sorted by various criteria, such as process owner, dollar volume, operating system, and application type. Often this can aid in audit efficiency and effectiveness by assisting in determining which audits need to be performed and the order in which they should be performed. As previously mentioned, special over-the-counter software applications are available to assist in the risk assessment process. However, such software is by no means a requirement. An internally developed spreadsheet or database application may be quite sufficient.
Examine the application description column in Exhibit 2.1. You will notice some very high-risk computing systems. For example, wire transfer systems present the single highest risk that financial institutions face.[] Automated clearing house (ACH) transactions are also a high-risk process. In many U.S. financial institutions, wire transfer and ACH transactions are processed through a single personal computer (PC)–based ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.