Professional Documents
Culture Documents
Industry
By
PR No: - 07030245017
Student Name: - Mohammad Mohsin Khan
Specialisation: - Systems (2007 – 2009)
Acknowledgement
I would like to thank Ms. Shaila Kagal (Director, SCIT) for giving me this
opportunity to do Research & Development on “A Model for Control Assessment for
Credit Card Industry”
I am highly indebted to Professor Manoj Hudnurkar who as given me the opportunity
to do the research on the topic “A Model for Control Assessment for Credit Card
Industry”. In spite of the severe paucity of time, his valuable suggestions enabled me
to fulfil the objectives of my project. He has shown immense patience and
understanding in the face of testing difficulties and even kept my morale high. The
periodic inputs by such experts were instrumental in expediting my work. His
willingness to guide me at every turn spurred me on to put my best efforts.
I would also Like to thank Mr. Chaitanya V.K (Business Advisory, Ernst & Young),
Mr. Anil Bhandari (Founder, Director ANB Conssulting Pvt Co), without their help I
would not to be able to complete the research.
I also extend my gratitude to all faculties of SCIT for their support. They provided me
great help in understanding certain concepts. Their experience was of immense help
to me.
2
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Table of Contents
1. Chapter 1:- Introduction _________________________________ 4
1.1. Brief on Research Topic ........................................................................... 4
1.2. Summary of Abstract:.............................................................................. 4
1.3. Objective:.................................................................................................. 5
1.4. Methodology: ............................................................................................ 5
2. Chapter 2:- Literature Review _____________________________ 6
2.1. Risk Assessment: ...................................................................................... 6
2.2. Steps for Process for Assessing and Managing Risk in SCM: ................ 7
2.3. CORAS approach to risk assessment: ..................................................... 7
2.4. Committee of Sponsoring Organizations of the Treadway Commission
(COSO) Model for Enterprise Risk Management (ERM): ................................ 8
2.5. COSO based Process Assessment Model:................................................ 9
2.6. Failure Modes, Effects and Criticality Analysis (FMECA): ................. 10
3. Chapter 3: Analysis of Work Done ________________________ 12
3.1. Analysis of Work Done: ................................................................................... 12
Risk Identification Process:............................................................................................. 12
It consist of the risk management process which involves ............................................. 12
COSO ERM Framework: ................................................................................................ 12
COSO based Process Assessment Model: ...................................................................... 13
Fig 4. COSO based Process Assessment ModelFailure Modes, Effects and Criticality
Analysis (FMECA): ........................................................................................................ 13
Failure Modes, Effects and Criticality Analysis (FMECA): ........................................... 14
3.2. The Model: .......................................................................................................... 15
Steps to Create the Model: .............................................................................................. 15
Identification of Process and Activities: ......................................................................... 15
Monitoring and Control Framework: .............................................................................. 15
Classifying Risk: ............................................................................................................. 16
Classification of Risk: ..................................................................................................... 17
Classifying Impact Level: ............................................................................................... 18
Construct the Hazard Totem Pole Chart (HTP): ............................................................. 20
3.3. Framework Pyramid (Proposed): .......................................................... 23
3.4. Possible applications in the industry ..................................................... 23
4. Chapter 4: Finding, Recommendations & Conclusion: ________ 24
4.1. Findings .................................................................................................. 24
4.2. Recommendation: .................................................................................. 25
4.3. Conclusion: ............................................................................................. 26
4.4. References: ............................................................................................. 27
3
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
4
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
1.3. Objective:
To prepare a model which will achieve a standardization of method and
techniques to be followed for preparing a Control Assessment plan as an output,
independent of individual capabilities.
1.4. Methodology:
Collecting data from secondary resources and analyzing for trends in
them for control assessment.
1. Collection of data about the various techniques used in preparation of Risk
Management Plan.
2. Collecting details about the various models which are currently being
applied in the industry.
3. Feasibility of the models as per industry.
4. Application area in the industry.
5. The technical as well as business environments for application.
6. Advantages and Disadvantages of the these models.
7. Comparison of the models and the various techniques that could be
amalgamated in this new model.
8. Preparation of the new model.
9. Possible application in the industry.
Getting inputs from Mentor and Guide regarding the progress and
ascertaining the right direction.
1. Validation of data from guide and mentor.
2. Charting out course of preparation of the new model.
3. Validation of the models and how to go about the techniques.
4. Using the mentors and guide industrial and well as domain experience in
model building.
5. Verifying of the final model.
5
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
6
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
2.2. Steps for Process for Assessing and Managing Risk in SCM:
Identify potential risk factors.
Assess the severity of the Consequences of the Identified Risk factors.
Assess the Likelihood of Occurrence of the Identified Risk Factors.
Classify the Identified risk factors.
Determine the cost of implementing risk response action plan.
Determine the risk priority indices.
Construct hazard totem pole chart.
7
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
2.4. Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Model for Enterprise Risk
Management (ERM):
COSO was formed in the year 1985 to sponsor the work of what became
commonly referred to as the Treadway Commission. COSO sponsors were
(and remain) American Accounting Association (AAA), Institute of
Management Accountants (IMA), Institute of Internal Auditors (IIA), AICPA
and the Financial Executives International (FEI).
Public Company Accounting Oversight Board (PCAOB) recommended the
COSO model as a way to evaluate and report on internal controls. Thus, AS2
entrenched the COSO model as a tool that auditors, internal and external,
needed to understand, especially in applying it to section 404 evaluations of
internal controls.
COSO defines internal controls as "a process, affected by an entity’s board of
directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in (1) the effectiveness and
efficiency of operations, (2) the reliability of financial reporting and (3) the
compliance of applicable laws and regulations." The COSO Model of Internal
Controls uses five elements of internal controls: control environment, risk
assessment, information and communication, control activities, and
monitoring.
There are various important ERM frameworks, each of which describes an
approach for identifying, analyzing, responding to, and monitoring risks and
opportunities, within the internal and external environment facing the
enterprise. Management selects a risk response strategy for specific risks
identified and analyzed, which may include:
a. Avoidance: exiting the activities giving rise to risk.
b. Reduction: taking action to reduce the likelihood or impact related to the
risk.
c. Share or insure: transferring or sharing a portion of the risk, to reduce it.
d. Accept: no action is taken, due to a cost/benefit decision.
The COSO ERM Framework has eight Components and four objectives
categories. It is an expansion of the COSO Internal Control-Integrated
Framework published in 1992 and amended in 1994. The eight components -
additional components highlighted - are:
a. Internal Environment.
b. Objective Setting.
c. Event Identification.
d. Risk Assessment.
e. Risk Response.
f. Control Activities.
g. Monitoring.
The four objectives categories - additional components highlighted - are:
a. Strategy - high-level goals, aligned with and supporting the organization's
mission.
b. Operations - effective and efficient use of resources.
c. Financial Reporting - reliability of operational and financial reporting.
d. Compliance - compliance with applicable laws and regulations.
8
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
2.5. COSO based Process Assessment Model:
The Process Assessment Model defines a two-dimensional model of process
capability. In one dimension i.e. the process dimension, the processes are
defined and classified into process categories. In the other dimension, the
capability dimension, a set of process attributes grouped into capability levels
is defined. The process attributes provide the measurable characteristics of
process capability.
9
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
activities, resources or results associated with the achievement of the attribute
purpose by a process.
The first three capability levels are focusing on the instance or activity view of
the processes, while from level 3 the attributes are focusing on the corporate
entity view. This observation helps us to understand how the COSO Internal
Control and ERM frameworks fit into this assessment model. The Internal
Control framework third dimension is the Unit/Activity, while in ERM the
third dimension is the corporate structure.
10
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
b. Establish the ground rules.
c. Gather and review relevant information.
d. Identify the item(s) or processes’ to be analyzed.
e. Identify the function(s), failure(s), effect(s), cause(s) and control(s) for
each item or process to be analyzed.
f. Evaluate the risk associated with the issues identified by the analysis.
g. Prioritize and assign corrective actions.
h. Perform corrective actions and re-evaluate risk.
i. Distribute, review and update the analysis, as appropriate
Risk Evaluation Methods: A typical FMEA incorporates some method to
evaluate the risk associated with the potential problems identified through the
analysis. The two most common methods, Risk Priority Numbers and
Criticality Analysis.
Risk Priority Numbers: To use the Risk Priority Number (RPN) method to
assess risk, the analysis team must:
a. Rate the severity of each effect of failure.
b. Rate the likelihood of occurrence for each cause of failure.
c. Rate the likelihood of prior detection for each cause of failure (i.e. the
likelihood of detecting the problem before it reaches the end user or
customer).
d. Calculate the RPN by obtaining the product of the three ratings:
RPN = Severity x Occurrence x Detection
Criticality Analysis (quantitative and qualitative): To use the quantitative
criticality analysis method, the analysis team must:
a. Define the reliability/unreliability for each item, at a given operating time.
b. Identify the portion of the item’s unreliability that can be attributed to each
potential failure mode.
c. Rate the probability of loss (or severity) that will result from each failure
mode that may occur.
d. Calculate the criticality for each potential failure mode by obtaining the
product of the three factors:
Mode Criticality = Item Unreliability x Mode Ratio of
Unreliability x Probability of Loss
e. Calculate the criticality for each item by obtaining the sum of the
criticalities for each failure mode that has been identified for the item.
Item Criticality = SUM of Mode Criticalities
To use the qualitative criticality analysis method to evaluate risk and
prioritize corrective actions, the analysis team must:
a. Rate the severity of the potential effects of failure.
b. Rate the likelihood of occurrence for each potential failure mode.
c. Compare failure modes via a Criticality Matrix, which identifies severity
on the horizontal axis and occurrence on the vertical axis.
11
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
12
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
2. Operations - effective and efficient use of resources
3. Financial Reporting - reliability of operational and financial reporting
4. Compliance - compliance with applicable laws and regulations.
13
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Failure Modes, Effects and Criticality Analysis (FMECA):
FMECA requires the identification of the following basic information:
1. Item(s)
2. Function(s)
3. Failure(s)
4. Effect(s) of Failure
5. Cause(s) of Failure
6. Current Control(s)
7. Recommended Action(s)
8. Plus other relevant details
The basic steps for performing an FMEA/FMECA analysis include:
1. Assemble the team.
2. Establish the ground rules.
3. Gather and review relevant information.
4. Identify the item(s) or process(es) to be analyzed.
5. Identify the function(s), failure(s), effect(s), cause(s) and control(s) for
each item or process to be analyzed.
6. Evaluate the risk associated with the issues identified by the analysis.
7. Prioritize and assign corrective actions.
8. Perform corrective actions and re-evaluate risk.
9. Distribute, review and update the analysis, as appropriate.
14
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
3.2. The Model:
Steps to Create the Model:
Identification of the common steps in all the models mentioned above
The common steps are
1. Identify potential risk factors
2. Assess the severity of the Consequences of the Identified Risk factors.
3. Assess the Likelihood of Occurrence of the Identified Risk Factors.
4. Classify the Identified risk factors.
5. Determine the cost of implementing risk response action plan.
6. Determine the risk priority indices.
7. Construct hazard totem pole chart.
15
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Classifying Risk:
One technique is to identify the level of processes i.e. w.r.t to COSO ERM
Framework
16
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Classification of Risk:
Different techniques to Quantify Risk:
1. The first sets of factors are related to the threat agent involved. The goal here
is to estimate the likelihood of a successful attack by this group of threat
agents. Use the worst-case threat agent.
a. Skill level
b. Motive
c. Opportunity
d. Size
2. Vulnerability Factors:
a. Ease of discovery
b. Ease of exploit
c. Awareness
3. Using FMECA to Calculate COPQ (Cost of Poor Quality):
a. Step 1: Identify the potential causes of failures using the inputs from an
input-output diagram and import them into the FMEA tool. Avoid any
initial prioritization of inputs such as through a cause-and-effect matrix, to
ensure that all possible failure modes are included in the COPQ analysis.
Include only controlled factors (inputs) in the analysis. This is important,
as existing costs for uncontrolled factors cannot be calculated with
confidence.
b. Step 2: After importing the inputs, review the list with the team to ensure
all potential failures are identified. Include every possible failure even if
the process has not experienced it. If there is a risk for failure, the team
must identify it and include the potential cost of failure in the COPQ
calculation.
17
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
c. Step 3: Perform the risk prioritization calculation for each individual
potential failure mode by using the FMECA tool. Record the Risk Priority
Number values as a calculation of severity, occurrence and detection
scores as follows:
Risk Priority Number = Severity x Occurrence x Detection
d. Step 4: Using team inputs and any available estimation tools, calculate the
average cost to resolve (ACR) for each potential cause of failure. The cost
will be a multiple of estimated effort hours to resolve (EHR) and the
average cost per effort hour (ACH). Note that the estimation in this step
tends to have a 90- to 95-percent confidence level, which is an acceptable
level for isolating the COPQ.
ACRi = EHRi x ACHi
Where: ACRi = Average cost to resolve incident i
EHRi = Effort hours to resolve incident i
ACHi = Average cost per hour for incident i
i = 1 to n (n being the total number of failures)
e. Step 5: Calculate the average effort cost required to resolve a random
incident by using the weighted average of time to resolve the failure
weighted by the risk priority of each failure.
Weighted Average Cost to Resolve (WACR) = [Sum of (RPNi x
ACRi) / Sum of (RPNi)]
f. Step 6: Calculate the COPQ for the process by multiplying the random
incident cost and the potential reduction in incidents (per year) as
identified in the past process data.
COPQ = WACR x Reduction in Events Due to the Project
18
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Based on the above impact the necessary level have been provided to the
impacts
Classication Score
F Financial 5
Q Quality / Customer Service 4
S Information security / Data loss 3
D Delay in TAT / Deviation in SOP 2
P Defective product 1
Now, Determine the Cost of Implementing Risk Response Plan. Here the cost
is dependent on the Company Revenue, Size and Other parameters that define
how the organization determines the cost based on the following parameters.
Cost Strategies Implementation Cost* Cost Index
19
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Construct the Hazard Totem Pole Chart (HTP):
HTP analysis provides a method for systematic analysis of Risk
It is pyramidal in shape, with most significant risk at the top(Sharply Pointed
for Immediate Management Attention) and less significant risk at the bottom.
The risks at top of HTP represent catastrophic consequences that can be
eliminated or contained for a small amount of money. As we go down the
HTP chart the impact of ranked risk diminishes.
Since no firm can afford to eliminate all the risk, one can find a level in HTP
chart below which management appears to accept the risk, instead of
implementing risk response plan for removing them. This level is known as
“Cut off Level”.
Here we rate each risk with three letter number Risk (Impact Score, Probablity
Score, Cost Index) E.g. a risk with code (3,1,2) is (Info Security / Data loss,
Remote, Low Cost)
20
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Hazard Cumulative
Code Preventive Cost ($)
1
2
Significant (3,2,1) 5000
Code 3
(3,3,3) 10000
4
(2,2,1) 70000
5
(2,2,1) 140000
6
(3,3,4) 170000
7
8
(2,4,4) 175000
9
(2,2,2) 200000
Cut-Off
10 Level (2,2,2) 240000
11 (1,4,3) 260000
12 (3,1,3) 370000
13
(3,1,3) 380000
14
(4,4,1) 390000
21
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
Then based on the above sheet and the HTP analysis we can prepare a
checklist and Audit Plan based on which the Stake Owners can assess the
process control for effectiveness.
22
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
3.3. Framework Pyramid (Proposed):
The Pyramid below will help the Organization to evolve and manage
processes based on COSO ERM methodology.
Framework Pyramid
Fixing Group-
Wide Strategy,
Industry Change Group
5
Aggregation, Models 3
BU
Local Efficiency Gains, Internal
Losses, Forward-Looking 2
We should expect lots of small benefits; with really big but fewer benefits as we
reach the top of the pyramid.
23
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
24
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
4.2. Recommendation:
This proposed model cannot always cover and guarantee against all the risk
that an organization faces, but it also try to cover all the risk which are
inherent or not.
Thus it acts as risk mitigation plan which not only help u avoid, mitigate or
transfer risk but helps to improve your processes, which indirectly helps in
raising the organizational level as well as business units level upto a certain
limit
As it a mixture of all the models that are generally being used it therefore
covers all the risk management activities.
This model can also be used for other industries such as Manufacturing,
Services, Hospitality, and Automobiles etc.
This models has a generic approach thus it can be applies to any industry.
As the model is not yet tested against cost for processes thus this will be a
future work that has to be done wherein, the processes will be modelled in a
modeller to analyze cost and then same processes will checked with our model
for knowing the cost.
This cost should be similar else there is a problem in process or model, so yet
work needs to be done in this area.
This model will cover an wide area of Risk Assessment, Management and
Control activities for various industries mentioned.
1. Establishing Context.
2. Identify the item(s) or process(es) to be analyzed
3. Identifying Risks.
4. Analyzing/Quantifying Risks
5. Integrating Risks
6. Assessing/Prioritizing Risks
7. Treating/Exploiting Risks
8. Monitoring and Reviewing
9. Control Activities
10. Information and Communication
11. Monitoring
12. Perform corrective actions and re-evaluate risk.
13. Distribute, review and update the analysis, as appropriate.
14. Strategy - high-level goals, aligned with and supporting the organization's
mission
15. Operations - effective and efficient use of resources
16. Financial Reporting - reliability of operational and financial reporting
17. Compliance - compliance with applicable laws and regulations
This model helps us to develop a Monitoring and Control Framework
which helps us to improve our controls and processes with elimination of risk
thus reduction of controls.
25
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
4.3. Conclusion:
The model will help us to measure risk and activities and it will help evaluate a
standard Control Assessment Plan which will generate same result for a particular
activity irrespective of the individual, in organizations belonging to Credit Card
Domain. The model will achieve a standardization of method and techniques to be
followed for preparing a Control Assessment plan as an output, independent of
individual capabilities.
26
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
4.4. References:
[1] ISO/IEC 15504-1:2004 Information technology -- Process assessment -- Part 1:
Concepts and vocabulary
ISO/IEC 15504-2:2003 Information technology -- Process assessment -- Part 2:
Performing an assessment
ISO/IEC 15504-2:2003/Cor 1:2004
ISO/IEC 15504-3:2004 Information technology -- Process assessment -- Part 3:
Guidance on performing an assessment
ISO/IEC 15504-4:2004 Information technology -- Process assessment -- Part 4:
Guidance on use for process improvement and process capability determination
ISO/IEC 15504-5:2006 Information technology -- Process Assessment -- Part 5: An
exemplar Process Assessment Model
[2] www.wikipedia.com
[3] CORAS, “CORAS: A platform for risk analysis of security critical systems”,
2000.
[4] R. Winther, O.-A. Johnsen, and B. A. Gran, “Security Assessments of Safety
Critical Systems Using HAZOPs,” presented at 20th International Conference
on Computer Safety, Reliability and Security, SAFECOMP 2001, Budapest, Hungary,
2001.
[5] Calculating COPQ Using Weighted Risk of Potential Failures by Pankaj Sharma
www.isixsigma.com
[6] www.coso.org
[7] Implementing Process Assessment Model of Internal Financial Control By János
Ivanyos, Memolux Ltd. (H), IIA Hungary
[8] Model-based Risk Assessment to Improve Enterprise Security by Jan Øyvind
Aagedal*, Folker den Braber*, Theo Dimitrakos§, Bjørn Axel Gran#, Dimitris
Raptis‡, Ketil Stølen
[9] Stoneburner, Gary, Alice Goguen, and Alexis Feringa. Risk Management Guide
for Information Technology Systems. Recommendations of the National Institute of
Standards and Technology. NIST Special Publication 800–30. (Washington, D.C.:
U.S. Government Printing Office, January 2002),
http://csrc.nist.gov/publications/nistpubs/800–30/sp800–30.pdf.
[10] Control Self-assessment for Information and Related Technology By Sunil
Bakshi, CISA, CISM, AMIIB.
[11] A whitepaper on Meeting the Requirements of the Payment Card Industry (PCI)
Data Security Standard by Consul an IBM Company
[12] Credit Risk Modeling and the Term Structure of Credit Spreads by Li Chen and
H. Vincent Poor
[13] NASA RISK ASSESSMENT AND MANAGEMENT ROADMAP by Student
Team: Jacob Burns, Jeff Noonan, Laura Kichak, and Beth Van Doren
[14] The Institute of Internal Auditors (The IIA): The International Standards for the
Professional Practice of Internal Auditing
[15] The COSO Model: How IT Auditors Can Use It to Evaluate the Effectiveness of
Internal Controls by By Tommie Singleton, CISA
[16] INTOSAI: Guidelines for Internal Control Standards for the Public Sector, 2004
http://www.intosai.org/Level3/Guidelines/3_InternalContrStand/3_GuICS_PubSec_e.
pdf
27
Symbiosis Centre for Information Technology
(A constituent Institute of Symbiosis International University, estd. Under Section 3 of UGC Act 1956)
MBA Batch 2007-09
[17] Risk based internal auditing - an introduction, David M Griffiths, 30 January
2006 http://www.internalaudit.biz/files/introduction/Internalauditv2_0_3.pdf
[18] OWASP Risk Rating Methodology by OWASP
28