Slide 1ObjectivesRisk AssessmentGuidance and StandardsGAOGAOGuidance and Standards (continued)Guidance and Standards (continued)COSO Enterprise Risk Management (ERM)Traditional Risk ManagementERM ProcessERM ProcessWhy ERMWhy ERM (continued)Why ERM (continued)A CaseWeb IssuesWeb ControlsWeb Controls (continued)IT InsuranceInsurable vs. Not Insurable RisksIT Insurance SelectionChapter 15: Assessing Risks in IT OperationsMBAD 7090Fall, 20081IS Security, Audit, and Control (Dr. Zhao)Objectives•Understand Risk Assessment•Guidance and Standards•Enterprise Risk Management (ERM)•Internet Risks•IT InsuranceFall, 20082IS Security, Audit, and Control (Dr. Zhao)Risk Assessment•Risk assessment is a tool or technique for evaluating the level of risk for a given process or function•Jointly done by management and auditors•An ongoing basis•A video: a risk assessment frameworkFall, 2008IS Security, Audit, and Control (Dr. Zhao)3Guidance and Standards•U.S. National Institute of Standards and Technology (NIST)▫Federal Information Processing Standards (FIPS)▫Automated Security Self-Evaluation Tool (ASSET)•Government Accounting Office (GAO)▫IMTEC 8.1.4: An audit guide for assessing acquisition risk▫Assessing the reliability of computer-generated dataFall, 2008IS Security, Audit, and Control (Dr. Zhao)4GAOFall, 2008IS Security, Audit, and Control (Dr. Zhao)5GAOFall, 2008IS Security, Audit, and Control (Dr. Zhao)6Guidance and Standards (continued)•AICPA▫Statement on audit standards (SAS)SAS70 service organizationExamples: insurance and medical claims processors, hosted data centers, application service providers (ASPs), and credit processing organizations.Type I audit: opinion on the fairness of the presentation of the service organization's description of controlsType II audit: opinion on whether the specific controls were operating effectively during the period under review.Fall, 2008IS Security, Audit, and Control (Dr. Zhao)7Guidance and Standards (continued)•ISACA Risk Assessment•Institute of Internet Auditors (IIA)▫Risk exposures in four areasReliability and integrity of financial and operational informationEffectiveness and efficiency of operationsSafeguarding of assetsCompliance with laws, regulations, and contractsFall, 2008IS Security, Audit, and Control (Dr. Zhao)8COSO Enterprise Risk Management (ERM)•ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.Fall, 2008IS Security, Audit, and Control (Dr. Zhao)9Traditional Risk Management•Silos: manage risks in separate compartments▫Insurance risk, technology risk, financial risk, environment risk, etc.▫Lack of enterprise wide coordination▫Lack identification of emerging risksFall, 2008IS Security, Audit, and Control (Dr. Zhao)10ERM Process•Identify▫Formal audit or inspection▫Operations process flowchart▫Financial statement analysis▫Risk analysis questionnaires•Measure▫Critical▫Important▫UnimportantFall, 2008IS Security, Audit, and Control (Dr. Zhao)11ERM Process•Monitor•Control▫Avoidance: possibility/practicality▫Prevention▫Reduction▫Transfer: insurance/contractual management▫RetentionFall, 2008IS Security, Audit, and Control (Dr. Zhao)12Why ERM•Organizational Oversight•Magnitude of problem▫“Especially in the area of asset-liability modeling and treasury management models to manage risks in the higher volatile capital markets’ activity of derivative trading and speculation.”Fall, 2008IS Security, Audit, and Control (Dr. Zhao)13Why ERM (continued)•Increased business risks▫Technology and the Internet▫Increased worldwide competition▫Free trade and investment worldwide▫Complex financial instruments▫Deregulation of key industries▫Changes in organizational structures from downsizing, reengineering, and mergers▫Increasing customer expectationsFall, 2008IS Security, Audit, and Control (Dr. Zhao)14Why ERM (continued)•Regulatory issues▫Recommended by the Basel Committee•Market factors▫Meeting shareholder expectations•Corporate governance•A video: ERM systemFall, 2008IS Security, Audit, and Control (Dr. Zhao)15A Case•Microsoft has a campus of more than 50 buildings in the quake-prone Seattle area and therefore earthquakes are a risk.•Q: Please take a holistic perspective in identifying risks of an earthquake.Fall, 2008IS Security, Audit, and Control (Dr. Zhao)16Web Issues•Risks▫Intruders ▫Hackers▫Unauthorized accessFall, 2008IS Security, Audit, and Control (Dr. Zhao)17Web Controls•Security policies and procedures▫Permissive policy: allowing all traffic to flow between the internal network and the Internet except that which is explicitly disallowed▫Prudent policy: selectively allow traffic that is explicitly allowed by the protocol and excludes any otherFall, 2008IS Security, Audit, and Control (Dr. Zhao)18Web Controls (continued)•Firewalls▫A system that control the traffic flow between the Internet and a company’s internal resources▫A video•Encryption▫Encode/decode the original information▫A videoFall, 2008IS Security, Audit, and Control (Dr. Zhao)19IT Insurance•What can be insured?▫An object with sufficient number and quantity to allow a reasonable close calculation of probable loss▫Accidental loss▫Losses must be capable of being determined and measured▫Minimal catastrophic hazardFall, 2008IS Security, Audit, and Control (Dr. Zhao)20Insurable vs. Not Insurable RisksInsurable Risks Not Insurable Risks•Property risks•Personal risks•Legal liability risks•Market risks▫E.g., season price changes•Political risks▫E.g., war or overthrow of the government•Production risks▫E.g., failure of machineryFall, 200821IS Security, Audit, and Control (Dr. Zhao)IT Insurance Selection•Identifying risks•Estimating probability of loss and size of loss•Select the best and most cost-effective method to manage risk and loss▫Tax consideration▫Opportunity cost of funds•An exampleFall, 2008IS Security, Audit, and Control (Dr.