Establishing processes for risk profiling

Status: Live

The organization will maintain processes for internal risk assessments that include risk profiles defining the risk and control factors to assess and the control structures for each IT product, service, or function. [UCF ID 01157]

Supporting and supported controls

This control directly supports:

Risk Assessment Approach [UCF Control ID 00687]

This control has the following supporting controls:

Identifying risks and probability for various events [UCF Control ID 01173]

Authority documents complied with:

PCAOB Auditing Standard No. 5, ¶ 47, ¶ 62; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.72; FFIEC IT Examination Handbook – Audit, August 2003, Pg 15, Exam Tier II Obj D.2; FFIEC IT Examination Handbook – Information Security, Pg 11, Pg 12; FFIEC IT Examination Handbook – Management, Pg 22; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Exam Tier I Obj 2.1; FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 3; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 45, Pg 46; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.1; CobiT 4.1, PO1.3; The Standard of Good Practice for Information Security, SM3.3.2; Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.3.1; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 18, Pg 19; OMB Circular A-123 Management’s Responsibility for Internal Control, § App A § IV.B; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 31; Archer Control Table, ATCS-027

Sarbanes Oxley Guidance

Each control has risk associated with it. Some of the factors that affect the amount of risk are the nature of misstatements the control is preventing or detecting; whether or not the account has a history of errors; the effectiveness of the controls; the frequency that the control operates; the degree the control depends on other controls; changes in the volume of transactions that might affect the design or operating effectiveness; the competence of the personnel operating the controls; whether the operation of the control is automatic or manual; and the complexity of the controls. The auditor should evaluate all identified deficiencies to determine if the deficiencies are material weaknesses. The severity of the deficiency depends on the magnitude of the potential misstatement and if there is a reasonable possibility that the controls will fail to prevent or detect a misstatement. [¶ 47, ¶ 62, PCAOB Auditing Standard No. 5]

The auditor should determine if the control environment elements have been implemented by obtaining evidence based on inquiries and other risk assessment procedures. [§ 314.72, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

The assessment of the controls should be documented and should contain the following: a list of the members of the senior assessment team; the assessment methodology; the tests and results of the tests; any communications with management or employees; if contractors are used, the contracting agreement; and identified deficiencies, along with improvement suggestions. [§ App A § IV.B, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should identify all risks to the systems. The specific information the risks affect and how the risks occur should be documented. The impact of the risk on the system should be determined. [Pg 31, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The risk assessment should identify the organization's data, applications, operating systems, technology, facilities, personnel, business activities, and business processes. [Pg 15, Exam Tier II Obj D.2, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should assess the importance of systems based on the criticality and sensitivity of the data they store and/or transmit. [Pg 11, Pg 12, FFIEC IT Examination Handbook – Information Security]

The organization should gather data from system inventories, strategic plans, continuity plans, the monitoring of service providers, audit findings, self-assessments, and call center tracking reports to aid in the development of a formal risk assessment. [Pg 22, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 2.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

An initial risk profile should be developed by the examiners for each service provider based on information gathered during the examination and from reports from other external audits. [Pg 3, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

Payment Card Guidance

The organization should use fraud screening tools to help identify high-risk transactions. Examples of high-risk transactions include transactions that match data stored in negative files, do not receive an Address Verification Service (AVS) match, and/or use international Internet Protocol (IP) addresses. Other methods for determining high-risk transactions include examining the type of goods purchased, the amount of the transaction, and the country the card was issued from, and comparing the shipping address to a database of third-party, high-risk shipping addresses. [Pg 45, Pg 46, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

[§ 3.1, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

General Guidance

[PO1.3, CobiT 4.1]

A risk analysis should be performed on critical information and systems belonging to the organization at an early stage of development of new systems, before new technology is introduced, prior to allowing access to the system by external sources, and at an early stage of significant changes to the system or information. [SM3.3.2, The Standard of Good Practice for Information Security]

[Ch 5.3.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

Asia and Pacific Rim Guidance

Establishing context to make risk profiling more accurate is called for. By understanding an organization’s environment, it’s easier to figure out what types of risks the organization will face as a result. Then all risks can more easily be identified. Ideally, risk identification should begin with spotting risks, then analyzing them to see if they are likely or would have a big impact, then treating those risks that seem the worst and finally, documenting all prescribed treatments. [Pg 18, Pg 19, Australia Better Practice Guide - Business Continuity Management, January 2000]