IT Examiner School

First page Table of contents Previous page 194 Next page Last page

Risk Assessment Red Flags Risk assessment does not incorporate both technical & nontechnical risks

Risk assessment is not reviewed & updated at least annually (should be more often if there are significant operational changes)

Audit (controls testing) results do not impact the risk assessment and/or the risk assessment does not impact the audit scope & frequency

Risk Assessment Summary

 Risk assessment process is an ongoing process  A risk assessment should:  ID and value assets

 ID potential threats/vulnerabilities  Rank the threats/vulnerabilities

 Seek clarification from management regarding vague references, assumptions, risk assessment findings, rating definitions, etc.  Risk assessments can take many forms

Made with FlippingBook Digital Publishing Software