RISK FACTORS RISK MEASUREMENT PROCESS (Worksheet 7b)

PREPARED BY:
DATE:
INSTRUCTIONS: 1. Enter Year, Prepared By, and Date in appropriate Cells.
2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11.
3. Alter the weights in Cells C15..L15 to suit your risk model.
The weights should sum to 1.00 (shown in Cell M15).
4. Enter the auditable units of the audit universe in column B.
The associated Audit Numbers may be assigned and entered in column A.
5. Evaluate each auditable unit (audit) by assigning a score (1= low, 3= high) for each
risk factor used in the model. The total risk score will be shown in column M.
6. The spreadsheet data may be sorted (recommended) to prioritze the auditable units.

AUDIT #

FACTORS
WEIGHTS
AUDIT UNIVERSE

F1
0.1

F2
0.1

F3
0.1

F4
0.1

F5
0.1

F6
0.1

F7
0.1

YEAR:

RISK FACTORS
F1
F2
F3
F4
F5
F6
F7
F8
F9
F10

Wksht7b.xls

w, 3= high) for each

in column M.
e the auditable units.
F8
0.1

F9
0.1

F10
0.1

TOTAL
1.00
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0

SORTED RISK ASSESMENT MATRIX Worksheet

AUDITOR:
DATE:

UNAUTHORIZED
EMPLOYEE

AUDIT:

SOFTWARE
DATA BACK
HARDWARE
FAILURE
UP FAILURE
FAILURE
1
2
3
4

RANK

THREATS
RANK
COMPONENTS

POLICIES AND
PROCEDURE

HARDWARE

HIGHEST RISK =

SOFTWARE

In the left-most quadrant

PHYSICAL
PROTECTION

LOGICAL
PROTECTION

PEOPLE

POWER

x
x
INSTRUCTIONS:

#
T1
T2
T3
T4
T5
T6
T7
T8
T9
T10
T11
T12

THREAT

DATA CENTER RISK IDENTIFICATIO

1. Enter Auditor, Date, Audit in the spaces provided.

2. Enter Components (up to a maximum of 12) in Cells B8..B20.
3. Assign Threats (up to a maximum of 12) to the Threat Axis (T1..T12 in Cells C5..N5).
Threats can be documented by listing them in Cells B27..B38.
4. Rank the Threats by choosing the most significant (assigning it the highest number)
and the least significant (assigning it "1"), and so for with next-most and next-least.
If there are 9 Threats, the highest value = 9, etc.
Place the rankings in the RANK row Cells C6..N6.
5. Use the "Data Sort" command to rearrange Cells C5..N6 (2 rows),
using Cell C6 as the Primary Key and Sort Order Descending.
6. Similarly, rank the Components using Cells A8..A20, with the most important component
receiving the highest value (if 10 Components, the highest = 10, etc.).
7. Use the "Data Sort" command to rearrange Cells A8..B20 (2 columns),
using Cell A8 as the Primary Key and Sort Order Descending.
8. The matrix should now be sorted to reflect the highest risks in the upper left corner
and the lowest risks in the lower right corner (depending on matrix size).
The matrix will register the number of cells to be marked HIGH RISK (Cell H10).

AUDIT:

TA CENTER RISK IDENTIFICATION

DATA
CORRUPTI
FIRE
INTRUDERS
ON
HACKERS
5
6
7
8

xis (T1..T12 in Cells C5..N5).

gning it the highest number)

h next-most and next-least.

h the most important component

est = 10, etc.).
20 (2 columns),

sks in the upper left corner

on matrix size).
HIGH RISK (Cell H10).

NATURAL
DISASTER

POWER
OUTAGE
9

10

KEY
COMPONENT
FAILURE
11

wksht3c.xls

Risks

Source / Cause

Effects

Integrity

Data corruption, Errors,

Omissions

Data corruption

Definition:
This risk encompasses all of the risks
associated with the authorization,
completeness, and accuracy of
transactions as they are entered into,
processed by, summarized by and
reported on by the various
application systems deployed by an
organization. These risks pervasively
apply to each and every aspect of an
application system used to support a
business process

Relevance

Integrity can be lost from:

programming errors,
processing
(maintenance)
errors,
management
errors

No effective communication

Not getting "the right

data/information to the right:
=>person
=>process/system at the right
time to allow the right action
to be taken

Definition: the usability and

timeliness of information that is either
created or summarized by an
application system.is the risk
associated with not getting "the right
data/information to the right
person/process/system at the right
time to allow the right action to be
taken."

Access

Definition:
Access risk focuses on the risk
associated with inappropriate access
to systems, data or information. It
encompasses the risks of improper
segregation of duties, risks
associated with the integrity of data
and databases, and risks associated
with information confidentiality.

Inappropriate security access

set-up

Confidentiality violation, data

lost or data corruption eiher
by virus infection, worm,
trojan attack programs etc

Integrity can be lost from:

programming errors,
processing
(maintenance)
errors,
management
errors

Inappropriate access to
processing environment and
the programs or data that are
stored in that environment.
Inappropriate access to the
network itself.
Unprotected physical devices
from damage, theft and
inappropriate access.
Availability

=> Natural disasters (Fire,

Flood etc) causing hardware
and software failure.
=> Power outage
=> Theft

Short term / Long term

business disruptions to
system

Lack or weak monitoring

performance

Infrastructure

Definition:
the organization does not have an
effective information technology
infrastructure (hardware, networks,
software, people and processes) to
effectively support the current and
future needs of the business in an
efficient, cost-effective and wellcontrolled fashion. These risks are
associated with the series of
Information Technology (I/T)
processes used to define, develop,
maintain and operate an information
processing environment (e.g.,
computer hardware, networks, etc.)
and the associated application
systems (e.g., customer service,
accounts payable, etc.).

Lack or weak organization

planning

Disorganized and
disfunctional IT decisions.
Lack of proactive security
policies and procedures or
inconsistent one among IS
and divisions.

Domain

Policies

User Interface

Proper segregation of duties

The adequacy of preventive and/or detective

controls that ensure that only valid data can
be entered into a system and that the data is
complete

Processing

Balancing and reconciliation controls to

ensure that data processing has been
complete and timely

Interface

To ensure that data that has been processed

and/or summarized is adequately and
completely transmitted to and processed by
another application system that it feeds
data/information to.

Data

Adequate data management controls

including both the security/integrity of
processed data and the effective
management of databases and data
structures.

Data, Applications,
Report

Business Process How to separate incompatible duties within

an organization and how to provide the
correct level of empowerment to perform a
function.
Application

Define the internal application security

mechanisms that provide users with the
specific functions necessary for them to
perform their jobs.

Data & Data

Management

Policies on securityrelated to users access to

specific data or databases within the
environment.

Processing
Environment

Secure the host computer system where

application systems and related data are
stored and processed from.

Network

Secure the mechanism used to connect

users with a processing environment.

Physical

Policies and procedures related to Physical

security of phsical IS devices.

Critical IS system, Risks that can be avoided by monitoring

applications and
performance proactively by addressing
data.
systems issues before a problem occurs

Backups and contingency planning policies

and procedures where restore/recovery
techniques can be used to minimize the
extent of a disruption.
IS department
mission and
organization

Define how I/T will impact the business and

how I/T is articulated. It is important to have
adequate executive level support and buy-in
to this direction and an adequate
organizational (people and process) planning
to ensure that I/T efforts will be successful.

Application system Ensure that application systems meet both

definition and
business and user needs. These processes
deployment
encompass the process of determining
whether to buy an existing application
system or to develop a custom solution.
These processes also ensure that any
changes to application systems (whether
they are purchased or developed) follow a
defined process that ensures that critical
process/control points are consistently
adhered to (e.g., all changes are tested and
approved by users prior to implementation).

Logical security
and security
administration

Ensure that the organization adequately

addresses the "Access risks" by
establishing, maintaining and monitoring a
comprehensive system of internal security
that meets managements policies with
respect to the integrity and confidentiality of
the data and information within the
organization and an organizations need to
reduce it Empowerment and Fraud risks to
acceptable levels.

Computer and
network
operations

Ensure that information systems and related

network environments are operated in a
secured and protected environment as
intended by management and that
information processing responsibilities
performed by operations personnel (as
opposed to users) are defined, measured
and monitored. They also involve the
proactive efforts typically performed by I/T
personnel to measure and monitor computer
and network performance to ensure that
systems are consistently available to users at
a satisfactory performance level.

Business data
center recovery

Policies designed to address the "Availability

risks" by ensuring that adequate planning
has been performed to ensure that
information technologies will be available to
users when they need them.

COMPONENTS

THREATS INTEGRITY RISK

Rank

AVAILABILITY
RISK

RELEVANCE RISK

ACCESS RISK

This risk encompasses all

of the risks associated
with the authorization,
completeness, and
accuracy of transactions
as they are entered into,
processed by,
summarized by and
reported on by the
various application
systems deployed by an
organization. These risks
pervasively apply to each
and every aspect of an
application system used
to support a business
process

the usability and timeliness of

information that is either
created or summarized by an
application system.is the risk
associated with not getting "the
right data/information to the
right person/process/system at
the right time to allow the right
action to be taken."

Access risk focuses on

the risk associated with
inappropriate access to
systems, data or
information. It
encompasses the risks
of improper segregation
of duties, risks
associated with the
integrity of data and
databases, and risks
associated with
information
confidentiality.

INFRASTRUCTURE RISKS
the organization does not have an
effective information technology
infrastructure (hardware, networks,
software, people and processes) to
effectively support the current and
future needs of the business in an
efficient, cost-effective and wellcontrolled fashion. These risks are
associated with the series of
Information Technology (I/T)
processes used to define, develop,
maintain and operate an
information processing
environment (e.g., computer
hardware, networks, etc.) and the
associated application systems
(e.g., customer service, accounts
payable, etc.).

Rank
APPLICATION
SYST
APPLICATION
NETWORK

Total Integrity
Risk
User Interface
COMPONENTS
whether there are adequate
restrictions over which individuals in
an organization are authorized to
perform business/system functions
based on their job need and the need
to enforce a reasonable segregation
of duties. Other risks in this area
relate to the adequacy of preventive
and/or detective controls that ensure
that only valid data can be entered
into a system and that the data is
complete.

Rank
0

Processing

Error Processing

Interface

whether there are adequate

preventive or detective
balancing and reconciliation
controls to ensure that data
processing has been
complete and timely. This risk
area also encompasses risks
associated with the accuracy
and integrity of reports
(whether or not they are
printed) used to summarize
results and/or make business
decisions.

whether there are

adequate processes
and other system
methods to ensure that
any data
entry/processing
exceptions that are
captured are
adequately corrected
and reprocessed
accurately, completely
and on a timely basis

whether there are

adequate preventive or
detective controls to
ensure that data that has
been processed and/or
summarized is
adequately and
completely transmitted to
and processed by
another application
system that it feeds
data/information to.

Change
Management
These risks are
associated with
inadequate change
management
processes include
user involvement
and training as well
as the process by
which changes to
any aspect of an
application system
is both
communicated and
implemented.

Data
These risks are associated with
inadequate data management
controls including both the
security/integrity of processed data
and the effective management of
databases and data structures.
Integrity can be lost because of
programming errors (e.g., good data
is processed by incorrect programs),
processing errors (e.g., transactions
are incorrectly processed more than
once against the same master file),
or management/process errors (e.g.,
poor management of the systems
maintenance process).

THREATS Total Relevance Risk

the usability and timeliness of information
that is either created or summarized by
an application system.is the risk
associated with not getting "the right
data/information to the right
person/process/system at the right time to
allow the right action to be taken."
COMPONENTS
Rank

Rank

Total
Access
THREATS Risk

The
Business
organizational
Process
decisions as to
how to
separate
incompatible
duties within
an
organization
and to provide
the correct
level of
empowerment
to perform a
function.

COMPONENTS Rank
Rank
0

Application

Data & Data

Management

Processing
Environment

where application
systems and related
data are stored and
The
processed from. The
The internal
mechanism to access risk in this area
application security provide users
is driven by the risk of
mechanisms that
with access to inappropriate access to
provide users with
specific data or processing environment
the specific functions databases
and the programs or
necessary for them within the
data that are stored in
to perform their jobs. environment
that environment.

Network

Physical

environment.
The access
risk in this
area is driven
by the risk of
inappropriate
access to the
network itself.

Protecting
physical
devices from
damage, theft
and
inappropriate
access.

THREATS Total Availability Risk Risks that can be

avoided by
monitoring
performance

Risks associated
with short term
disruptions to
system

COMPON Rank
ENTS
Rank

and proactively
addressing systems
issues before a
problem occurs

where
restore/recovery
techniques can be
used to minimize
the extent of a
disruption

Risk associated
with disasters

those cause longerterm disruptions in

information
processing and which
focus on controls
such as backups and
contingency planning

THREATS Total
Organization
Infrastruc Planning
ture Risk

Application system
definition and
deployment

Logical security
and security
administration

in this area ensure that

application systems
meet both business
and user needs. These
processes encompass
the process of
determining whether to
buy an existing
application system or
to develop a custom
solution. These
processes also ensure
that any changes to
application systems
(whether they are
purchased or
developed) follow a
defined process that
ensures that critical
process/control points
are consistently
adhered to (e.g., all
changes are tested and
approved by users prior
to implementation).

The processes in
this area ensure
that the
organization
adequately
addresses the
Access risks by
establishing,
maintaining and
monitoring a
comprehensive
system of
internal security
that meets
managements
policies with
respect to the
integrity and
confidentiality of
the data and
information
within the
organization and
an organizations
need to reduce it
Empowerment
and Fraud risks
to acceptable
levels.

COMPON Rank
ENTS
that the definition
of how I/T will
impact the
business are
clearly defined and
articulated. It is
important to have
adequate executive
level support and
buy-in to this
direction and an
adequate
organizational
(people and
process) planning
to ensure that I/T
efforts will be
successful.

Computer and
Data &
Business data center
network operation database recovery
manage
ment

this area ensure

that information
systems and related
network
environments are
operated in a
secured and
protected
environment as
intended by
management and
that information
processing
responsibilities
performed by
operations
personnel (as
opposed to users)
are defined,
measured and
monitored. They
also involve the
proactive efforts
typically performed
by I/T personnel to
measure and
monitor computer
and network
performance to
ensure that systems
are consistently
available to users at
a satisfactory
performance level.

The processes in this

area are designed to
address the Availability
risks by ensuring that
adequate planning has
been performed to
ensure that information
technologies will be
available to users when
they need them.