Risk Assessment
The whole CISA exam works around the concepts of risk assessment methodology. ISACA expects aspirants to have deep knowledge of terms in risk assessment.
What is risk?
A probability or threat of damage, injury, liability, loss or any other negative occurrence that is caused by external or internal vulnerabilities and that may be avoided through preventive action.
Elements of risk:
Risk is mainly comprise of probability and impact and mostly formulated using below formula:
Risk(R) = Probability(P) * Impact(I)
Both the terms are equally important while determining risk. Let us understand with an example. Probability of damage of a product is very high, let say 1, however that product hardly costs anything and hence Impact is Nil i.e. zero even if the product is damaged.
So risk of rain on articles will be:
Risk = P * I
i.e. Risk = 1 * 0 = 0
Vulnerability & Threat
Vulnerability means weakness and threat means something that can exploit the weakness. By using these term we have another formula for risk.
R = Vulnerability(V) * Threat(T)
For exam just remember below 2 formulae:
R = P * I
&
R = Asset Value(A) * V * T
Risk matrix
Risk matrix shows how the severity of risk is aligned with likelihood/probability and impact.
Steps for risk assessment (2 questions will be there):
Step 1: Identify Critical Assets/Processes.
Step 2: Identify relevant risks.
Step 3: Do impact analysis.
Step 4: Risk prioritization
Step 5: Risk Treatment
What is threat?
A threat is what we’re trying to protect against. Our enemy could be floods, fire, hackers, malware, criminals and many other unknown forces. Threats are not in our control.
What is vulnerability?
Vulnerability is a weakness or gap in our protection. Vulnerability can be in form of weak coding, missing anti-virus, weak access control and other related factors. Vulnerabilities can be controlled by us.
Types of Risk:
- Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place.
- Residual Risk: The risk that remains after controls are taken into account.
- Detection Risk: Risk that the auditors fail to detect a material misstatement in the financial statements.
- Control Risk: Risk that a misstatement could occur but may not be detected and corrected or prevented by entity’s internal control mechanism
- Audit Risk: Inherent Risk x Control Risk x Detection Risk
Risk Treatment:
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Risk Mitigation/Risk Reduction – In this the risk gets mitigated in a functionality.
- Risk Avoidance – In this the risky functionality is dropped or removed.
- Risk Acceptance – In this the risky functionality is used keeping the particular risk in mind.
- Risk Transfer – In this the risk is transferred to the third party (mostly insurance) that takes care of the risk.
Audit Charter
Audit charter is a formal document that defines audit’s purpose, authority and position in an organization.
Characteristics of Audit Charter:
- Most of the times an audit charter is approved by Top Management or highest level of the organization and should be approved by Audit committee too.
- Audit charter is not dynamic in nature and should be changed with proper justification.
- The audit function must be independent of the business function and should have direct access to the audit committee of the board.
Discover more from Information Security Blogs
Subscribe to get the latest posts sent to your email.