Professional Documents
Culture Documents
PREPARED BY:
DATE:
INSTRUCTIONS: 1. Enter Year, Prepared By, and Date in appropriate Cells.
2. List Risk Factors in use F1..F10 by descriptions in Cells P2..P11.
3. Alter the weights in Cells C15..L15 to suit your risk model.
The weights should sum to 1.00 (shown in Cell M15).
4. Enter the auditable units of the audit universe in column B.
The associated Audit Numbers may be assigned and entered in column A.
5. Evaluate each auditable unit (audit) by assigning a score (1= low, 3= high) for each
risk factor used in the model. The total risk score will be shown in column M.
6. The spreadsheet data may be sorted (recommended) to prioritze the auditable units.
FACTORS F1 F2 F3 F4 F5 F6 F7
WEIGHTS 0.1 0.1 0.1 0.1 0.1 0.1 0.1
AUDIT # AUDIT UNIVERSE
YEAR: RISK FACTORS
F1
Wksht7b.xls F2
F3
F4
F5
F6
F7
F8
w, 3= high) for each F9
in column M. F10
e the auditable units.
F8 F9 F10 TOTAL
0.1 0.1 0.1 1.00
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
SORTED RISK ASSESMENT MATRIX Worksheet
AUDITOR: AUDIT: DATA CENTER RISK IDENTIFICATIO
DATE:
POLICIES AND
1 PROCEDURE
PHYSICAL
4 PROTECTION
LOGICAL
5 PROTECTION
6 PEOPLE
7 POWER
x
x
INSTRUCTIONS: 1. Enter Auditor, Date, Audit in the spaces provided.
2. Enter Components (up to a maximum of 12) in Cells B8..B20.
3. Assign Threats (up to a maximum of 12) to the Threat Axis (T1..T12 in Cells C5..N5).
# THREAT Threats can be documented by listing them in Cells B27..B38.
T1 4. Rank the Threats by choosing the most significant (assigning it the highest number)
T2 and the least significant (assigning it "1"), and so for with next-most and next-least.
T3 If there are 9 Threats, the highest value = 9, etc.
T4 Place the rankings in the RANK row Cells C6..N6.
T5 5. Use the "Data Sort" command to rearrange Cells C5..N6 (2 rows),
T6 using Cell C6 as the Primary Key and Sort Order Descending.
T7 6. Similarly, rank the Components using Cells A8..A20, with the most important component
T8 receiving the highest value (if 10 Components, the highest = 10, etc.).
T9 7. Use the "Data Sort" command to rearrange Cells A8..B20 (2 columns),
T10 using Cell A8 as the Primary Key and Sort Order Descending.
T11 8. The matrix should now be sorted to reflect the highest risks in the upper left corner
T12 and the lowest risks in the lower right corner (depending on matrix size).
The matrix will register the number of cells to be marked HIGH RISK (Cell H10).
AUDIT:
TA CENTER RISK IDENTIFICATION
DATA KEY
CORRUPTI NATURAL POWER COMPONENT
FIRE INTRUDERS ON HACKERS DISASTER OUTAGE FAILURE
5 6 7 8 9 10 11
Inappropriate access to
processing environment and
the programs or data that are
stored in that environment.
Definition:
the organization does not have an
effective information technology
infrastructure (hardware, networks,
software, people and processes) to
effectively support the current and
future needs of the business in an
efficient, cost-effective and well-
controlled fashion. These risks are
associated with the series of
Information Technology (I/T)
processes used to define, develop,
maintain and operate an information
processing environment (e.g.,
computer hardware, networks, etc.)
and the associated application
systems (e.g., customer service,
accounts payable, etc.).
Domain Policies
Data, Applications,
Report
Business Process How to separate incompatible duties within
an organization and how to provide the
correct level of empowerment to perform a
function.
Rank
APPLICATION
SYST 0 0 0 0 0
APPLICATION
NETWORK
Total Integrity Change
Risk User Interface Processing Error Processing Interface Management
COMPONENTS
whether there are adequate whether there are adequate whether there are whether there are These risks are
restrictions over which individuals in preventive or detective adequate processes adequate preventive or associated with
an organization are authorized to balancing and reconciliation and other system detective controls to inadequate change
perform business/system functions controls to ensure that data methods to ensure that ensure that data that has management
based on their job need and the need processing has been any data been processed and/or processes include
to enforce a reasonable segregation complete and timely. This risk entry/processing summarized is user involvement
of duties. Other risks in this area area also encompasses risks exceptions that are adequately and and training as well
relate to the adequacy of preventive associated with the accuracy captured are completely transmitted to as the process by
and/or detective controls that ensure and integrity of reports adequately corrected and processed by which changes to
that only valid data can be entered (whether or not they are and reprocessed another application any aspect of an
into a system and that the data is printed) used to summarize accurately, completely system that it feeds application system
complete. results and/or make business and on a timely basis data/information to. is both
decisions. communicated and
implemented.
Rank
0
Data
0
Risk associated
with disasters
COMPON Rank
ENTS
that the definition in this area ensure that The processes in
of how I/T will application systems this area ensure
impact the meet both business that the
business are and user needs. These organization
clearly defined and processes encompass adequately
articulated. It is the process of addresses the
important to have determining whether to Access risks by
adequate executive buy an existing establishing,
level support and application system or maintaining and
buy-in to this to develop a custom monitoring a
direction and an solution. These comprehensive
adequate processes also ensure system of
organizational that any changes to internal security
(people and application systems that meets
process) planning (whether they are managements
to ensure that I/T purchased or policies with
efforts will be developed) follow a respect to the
successful. defined process that integrity and
ensures that critical confidentiality of
process/control points the data and
are consistently information
adhered to (e.g., all within the
changes are tested and organization and
approved by users prior an organizations
to implementation). need to reduce it
Empowerment
and Fraud risks
to acceptable
levels.
0
Computer and Data & Business data center
network operation database recovery
manage
ment