Steps of Risk Assessment:
Please note down below steps for risk assessment. Invariably there will be 2 or more questions on this concept.
-First step is to identify the assets. (in some cases critical process)
-Second step is to identify relevant risk. (vulnerability/threat)
-Third step is to do impact analysis. (qualitative or quantitative)
-Fourth step is prioritizing the risk on the basis of impact.
-Fifth step is to evaluate controls.
-Sixth step is to apply appropriate controls.
Clarification on Vulnerability & Threat:
One of the favorite and most preferred game of ISACA is to get us confused between the terms ‘vulnerability’ and ‘threat’ during CISA exams. Let us understand basic difference between the two so they cannot trick us anymore.
What is a threat?
A threat is what we’re trying to protect against.Our enemy could be Earthquake, Fire, Hackers, Malware, System Failure, Criminals and many other unknown forces. Threats are not in our control.
What is vulnerability?
Vulnerability is a weakness or gap in our protection efforts. Vulnerability can be in form of weak coding, missing anti-virus, weak access control and other related factors. Vulnerabilities can be controlled by us.
Types of Risk:
Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls).
Residual Risk: The risk that remains after controls are taken into account (the net risk or risk after controls).
Detection Risk: Risk that the auditors fail to detect a material misstatement in the financial statements.
Control Risk: Risk that a misstatement could occur but may not be detected and corrected or prevented by entity’s internal control mechanism
Audit Risk: Inherent Risk x Control Risk x Detection Riskz