Cyber & IT Supervisory Forum - November 2023

Internal Use Only

Key Risk Based Audit Planning Concepts

What drives audits? • Inherent risk • Controlled risk • Residual risk

• Budget • Same as last year

19

19

Internal Use Only

Risk Based Audit Planning Examples

Audit Frequency Determination

Residual Risk Rating

Very Low

Low

Moderate

High

Very High

Very High

6 to 12 months 6 to 12 months 12 to 18 months 18 to 24 months 24 to 36 months 6 to 12 months 12 to 18 months 18 to 24 months 24 to 36 months 24 to 36 months 12 to 18 months 18 to 24 months 24 to 36 months 24 to 36 months 36 months

High

Inherent Risk Rating

Moderate

Low

18 to 24 months 24 to 36 months 24 to 36 months 36 months

36 months 36 months

Very Low

24 to 36 months 36 months

36 months

36 months

Mitigating Controls

Asset

Threat

Inherent Risk

Residual Risk Control Reliance

Inappropriate access to member files

5 ‐ Very High

80% 1 ‐ Very Low 4 ‐ High

Core

Loss of system availability

5 ‐ Very High

40% 3 ‐ Medium 2 ‐ Low

File servers

Server room Flooding

2 ‐ Low

90% 1 ‐ Very Low 1 ‐ Very Low

20

20