Tips for Understanding Differences in Risk and Audit Points of View
ISACA recently released a white paper titled Getting Started With Risk Management, which starts with the following description: “Although most enterprises have some sort of risk management, it often lacks the depth and specificity required by the business environments and risk landscapes in which they operate. The main drivers for risk management include improving enterprise decision-making, aligning resources to focus on risk with the greatest potential impact and ensuring value creation by maintaining risk within acceptable tolerances and appetites.”
Despite all of the focus on risk management and the resources that organizations invest in it, risk management is too often treated as a compliance issue that can be solved by the application of controls, checklists or adherence to policies. This treatment of risk management as a controls-based set of activities or conformance to a set of criteria misses the point that risk management is about managing uncertainty, not compliance. The impact of a disaster, cyberbreach or other incidents is real and continues to occur despite organizations complying with the latest set of regulations, guidelines or standards. Risk management benefits from an integrated view of all risk that has the potential to prevent the achievement of the organizations’ strategy. This is why a checklist approach to risk management is insufficient to address the interdependence of risk.
I am often asked by risk and audit professionals what steps should be taken when a risk is identified and management either disagrees with the high risk rating or chooses to accept a risk and takes no mitigating actions. Here are some considerations that may be helpful to distinguish between the risk point of view and audit point of view and increase understanding of risk-related actions by management:
Risk point 1—Risk management is the identification, evaluation and prioritization of risk supported by a system of coordinated application of resources to respond to potential threats. Risk assessments are conducted to identify scenarios or situations that may prevent the organizations from meeting its strategy or mission. The experience of the risk assessor, the scope of the risk assessment, and whether or not the risk is present at the time of the assessment are all factors that influence what potential risk factors are identified.
Audit point 1—Audit and assurance roles are focused on the inspection, verification or conformance to a set of practices or controls to ensure that guidance is being followed, records are accurate and effectiveness targets are being met. There is no uncertainty in whether or not a control is operating providing you can test, observe or verify it.
Risk point 2–ISACA uses the International Organization for Standardization (ISO) definition of risk, which combines “the probability of an event and its consequence.” This means the realization of a negative event is possible and may even have a good chance (high probability) of actually happening. If the risk does occur, then there will definitely be a specific impact (consequence) on the organization. Controls, such as data loss protection or restriction on administrative privileges, may help to prevent a risk from being realized. Other types of control activities, such as quick technology failovers or a proactive knowledge-sharing training program, may minimize the resulting impact of a realized risk. However, remember that an identified risk may never materialize; therefore, management needs to weigh the actions taken to prevent risk or minimize impact against many other factors.
Audit point 2—Audits are planned, scoped and validated to ensure that any findings are reported accurately. Control deficiencies, missing or old policy documents, noncompliance with rules, and ineffective processes and procedures are observable when audited. The organization has an obligation to address the resulting audit findings.
Risk point 3—Organizations often take explicit risk for the strategic business value that results from the risky activities, such as global expansion or increasing production of a product. Running an enterprise, delivering services and products, and meeting the requirements of your customers and constituents is often uncertain and has few guarantees of success. Management does not have an obligation to address risk it deems acceptable.
Audit point 3—Risk affecting organizations may have negative consequences in terms of societal, environmental, safety, security, financial and reputational impacts. Audit has a responsibility to communicate to management areas where more attention, better processes or additional controls would serve to reduce the exposure to the risk. When risk factors are identified, organizations need to ask the question, “Is the level of risk tolerable or acceptable, or does it require further actions?”
Remember that the identification of risk is just asking, “What could happen to keep us from meeting our strategy?” and that the identified risk may never materialize. A prudent business strategy may be to take more risk or not address a risk that has a low probability of occurrence. Risk assessments alone are not sufficient to enable decision-makers to have a complete picture of exposure. As organizations get better at control testing automation and quantitative exposure analysis, especially quantitative probability and impact analyses, it is easier for management to have the information it needs to decide to address the risk or not. There is no fiduciary duty to address a risk in the same way there is with an audit finding. That is why risk and audit are both needed to provide a balanced view to management.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.
Introducing the COBIT 2019 Framework
With the release of COBIT 2019, there has never been a better time to evaluate and right-size your governance program for information and technology. Building on the solid foundation of COBIT 5, this new release covers the latest developments affecting enterprises and sets up organizations for success with business transformation.
In addition to the updated framework, COBIT now offers more implementation resources, practical guidance and insights, and comprehensive training opportunities, including:
- New coverage of data, projects and assurance is included, along with updates to activities such as cybersecurity and privacy, plus updated linkages to all relevant standards, guidelines, regulations and best practices.
- Implementation is now more flexible, with new guidance offering both targeted project-based uses for specific problem-solving situations and comprehensive enterprisewide adoption to drive business transformation.
Information and technology are the crown jewels of every enterprise seeking to increase value, spur new growth, and fortify against threats and risk. Good governance is the key to unlocking these competitive advantages, and COBIT is the master framework for all your enterprise’s governance activities.
The first 2 COBIT 2019 publications, COBIT 2019 Framework: Introduction and Methodology and COBIT 2019 Framework: Governance and Management Objectives, were released on 12 November 2018. To access these publications and for more information on COBIT 2019, its publications and guidance, and new training opportunities, visit the COBIT page of the ISACA website.
CISA Exam Content to Be Updated in 2019
Campos; Getty Images
The Certified Information Systems Auditor (CISA) certification will be updated in 2019 to reflect the most current industry trends impacting the IT audit profession. Updated CISA review materials and training courses will be offered beginning in March 2019 to prepare candidates for the new version of the exam, which will take effect in June 2019.
While the 5 domains that comprise the CISA exam will remain similar in 2019, the exam weighting for these domains will change slightly. ISACA regularly updates its certification content to keep pace with industry demands and evolution. The CISA Certification Working Group recently completed a 6-month assessment that resulted in the revised content outline.
“Now in its 40th year, the CISA certification is more relevant than ever as effective deployment of technology and information systems is essential for enterprises to thrive in the digital economy,” said Kim Cohen, ISACA’s director of certification. “This content refresh for CISA, based on leading industry experts pinpointing the most beneficial knowledge and experience needed by global practitioners, will ensure CISA continues evolving to best serve certification holders and their enterprises.”
Six Areas to Assess When Diagnosing Organizational Culture
In view of the headlines concerning sexual harassment and conflicts of interest, or the ones on fraud, bribery and corruption, you may be thinking about auditing your organization’s culture. Or, your interest in organizational culture may be more personal; perhaps you are thinking about changing jobs and want to make sure that you will be in an environment that will enable you to thrive. Either way, you should know what to look for when diagnosing organizational culture.
Before evaluating organizational culture, it is important to define what it is and how it manifests itself. According to the American Heritage English Dictionary definition, organizational culture is: “The set of predominating attitudes and behavior that characterize a group or organization.”
Essentially, organizational culture is shared, learned, adaptive, integrated and transmitted cross-generationally. It involves what people think, what people do and what people make. It is the organizational air that employees breathe and fuels their thoughts, decisions, actions and results. An interesting element of culture is that it is, in part, taught. We are not born with the belief that “winning is not everything; it is the only thing” or “what have you done for me lately?” or “rank has its privileges.” Consider corporate-sponsored new-hire training programs; they frequently describe the organization’s history, values and goals. They may include stories or anecdotes involving enterprise founders, which encapsulate the organization’s core values or norms and explain the corporate values and culture to new hires. Sometimes corporate cultural messages are communicated indirectly and more subtly by explaining the performance management criteria or incentive compensation system instead of articulating and discussing the values and behaviors the organization prizes.
The 4 values that influence culture are:
- Internal focus and integration
- External focus and differentiation
- Flexibility and discretion
- Stability and control
The first 2 are oppositional—the more an organization values an internal focus and integration, the less it is capable of valuing an external focus and differentiation. The last 2 are also oppositional—the more an organization values flexibility and discretion, the less it is able to value stability and control.
These 4 values affect the following 6 elements of an organization’s culture:
Organizational climate—Is the climate like an extended family or a dynamic, entrepreneurial place to work?
Leadership—Are the leaders viewed as mentors, innovators and risk-takers or hard-drivers and producers?
Organizational glue—Is the organization held together by tradition and loyalty or a commitment to experimentation and innovation? Do rules and policies hold the organization together or is it an emphasis on winning?
Long-term emphasis—Is the long-term focus on human resources development, growth and new resource acquisition, and goal achievement or efficient, smooth operations?
Definition of success—Is success measured by sensitivity to customers and concern for people? Is it providing unique and new products and services? Is success measured by market share and penetration? Or is it dependable delivery, smooth scheduling and low cost?
Organizational focus and benchmarks—Is emphasis placed on internal maintenance with sensitivity to customers or external positioning with a high degree of flexibility and individuality?
Six Areas to Assess
If you would like to quickly assess an organization’s environment, assess how well senior and middle management in your organization management can:
- Articulate the primary risk in the business
- Provide a useful risk and control self-assessment
- Communicate self-identified issues—including the root cause—and the status of corrective action plans
- Identify the primary controls established to mitigate identified risk
- Identify the primary monitoring mechanisms established to evaluate the effectiveness of established controls
- Provide evidence or documentation of risk assessment processes and control system evaluations, including any action plans in progress
Compare the answers to determine whether the tone at the top and the tone in the middle are in alignment. If change is needed, be sure to consider all factors and values, not just one. For example, do not make changes to the organizational structure without thinking about whether changes are also needed to compensation, job descriptions and policies.
While corporate culture may be hard to define and even harder to exhibit, it is a substantial component of the control environment and plays an important role in driving organizational performance. It is an asset that can be managed to improve business performance or avoid undesirable and unethical behavior. During your next audit, consider asking questions that will provide insights concerning your senior and middle managers’ viewpoints on the 4 values and 6 elements that affect organization culture. Then, consider how well these responses correlate and complement your organization’s stated strategic and tactic plans. Evaluating your organization’s culture will provide important insights concerning its current and future performance.
Read more on the KnowledgeLeader website.
Editor’s Note: KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. Free 30-day trials are available.
Launching SheLeadsTech in Africa
Recently, my SheLeadsTech staff colleague Alisha Wenc, ISACA Corporate Programs Manager, and I travelled to Africa to launch the SheLeadsTech program in South Africa, Zambia and Kenya.
The welcome we received at each stop on our journey was more than we could have expected. We met amazing women who felt our events had created safe spaces in which they could tell their stories of inequality in the workplace and sometimes in broader society. Others told the stories of their journeys to becoming senior management and joyous events they experienced along the way—often related to personal achievement.
On our trip, we also met prominent men who wanted to make a difference, wanted to support their female counterparts as allies and also wanted to play a part as ambassadors for our program. The whole experience was very rewarding.
Additionally, in Nairobi, Kenya, we headed to the United Nations (UN) Compound to meet with UNWomen to determine if there is a possibility that we can work together to assist with the empowerment of women in Africa through the use of technology. It was a very good first meeting, and we are taking small steps toward a potential relationship. It was a great feeling to walk away from the meeting with them understanding more about our program and us understanding more about their work and where these 2 organizations dedicated to empowering and advocating women may intersect.
To learn more about SheLeadsTech, visit the SheLeadsTech page of the ISACA website.
Jo Stewart-Rattray, CISA, CRISC, CISM, CEGIT, CP, is director of information security and IT assurance at BRM Holdich.