Risk Management of the

IS Function
Learning Objectives
Familiarize the concept of computer risks and
exposures
Understanding the major types of risks faced by
the information system (IS) function, including the
sources of such risk as well as the causes
Understand the emphasis of managements role
in adopting a risk position
examines risk and its nature and the corporate
environment and looks at the internal audit need
for the appropriate risk analysis to enable risk-
based auditing as an integrated approach.
Leadership involves making choices in the
face of uncertainty. Risk is the possibility that
one or more individuals or organizations will
experience adverse consequences from those
choices. Risk is the mirror image of
opportunity.
Nature of Risk
Ultimately, all entities encounter risk
regardless of their size, corporate structure,
nature of business, or type of industry
These risks can affect the company in:
The ability to successfully compete,
the ability to maintain financial strength
the corporations positive public image
ultimately the organizations ability to survive
Yes or No?
Can risk be eliminated?
Answer: NO
If it cant be eliminated, what can we do?
Risk cannot be eliminated, only managed.
Risk identification
Risk identification may be done as part of the
planning process either on a zero base or as
incremental to the last review
Risk arise from internal or external factors and
the factors themselves may be interrelated.
Responsibilities for boards
The Board has responsibility for determining the strategic direction of the
organization and for creating the environment and the structures for risk
management to operate effectively. This may be through an executive
group, a non-executive committee, an audit committee or such other
function that suits the organizations way of operating and is capable of
acting as a sponsor for risk management.
The Board should, as a minimum, consider, in evaluating its system of internal
control:
The nature and extent of downside risks acceptable for the company to bear
within its particular business
The likelihood of such risks becoming a reality
How unacceptable risks should be managed
The companys ability to minimize the probability and impact on the business
The costs and benefits of the risk and control activity undertaken
The effectiveness of the risk management process
The risk implications of board decisions
Types of risks
Inherent risk
the likelihood of a significant loss occurring before
taking into account your risk reducing factors
Control risk
measures the likelihood that the control
processes established to manage inherent risk
are proved to be ineffective
Detection risk
errors not detected or prevented by the control
structure will also not be detected by the auditor

Question
What will you do in order to evaluate whether
the controls designed and implemented by
management have adequately reduced the
inherent risk to within tolerance levels?
As an auditor must identify those controls relied
upon by management to reduce the likelihood or
impact of the risk.
Once these controls have been identified, an
audit program to test the known effectiveness of
these controls may be designed and implemented