Back

Establish, implement, and maintain risk profiling procedures for internal risk assessments.


CONTROL ID
01157
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • analysing the impact of the outsourcing arrangement on the overall risk profile of the institution, and whether there are adequate internal expertise and resources to mitigate the risks identified; (5.3.1 (d), Guidelines on Outsourcing)
  • Establishing context to make risk profiling more accurate is called for. By understanding an organization's environment, it's easier to figure out what types of risks the organization will face as a result. Then all risks can more easily be identified. Ideally, risk identification should begin with … (Pg 18, Pg 19, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Note objects with increased security requirements for a risk analysis (§ 8.2.9 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Upstream companies should maintain up-to-date information to identify the supply chain and assess the risk effectively. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.B, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • This appendix contains many recommended questions the risk assessment should answer relating to the supply chain of tin, tantalum, tungsten, their ores, and metal derivatives that can lead to risks. (Supplement on Tin, Tantalum, and Tungsten App: C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Gold producers should identify all mines and/or mine smelt houses where it buys mined gold to determine if it was purchased from a conflict-affected and high-risk area. (Supplement on Gold Step 2: § I.B.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Gold producers should review the "know your counterparty" information from suppliers and additional information on origin and transport to determine if it was purchased from a conflict-affected and high-risk area. (Supplement on Gold Step 2: § I.B.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • International gold traders, local gold exporters, and refiners should assess and verify the representations of suppliers in proportion to the risk to determine the gold's origin. (Supplement on Gold Step 2: § II.A, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Does the policy management software enable the organization to establish and manage a customized risk profile? (Table Row II.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization should use fraud screening tools to help identify high-risk transactions. Examples of high-risk transactions include transactions that match data stored in negative files, do not receive an Address Verification Service (AVS) match, and/or use international Internet Protocol (IP) add… (Pg 45, Pg 46, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • IT-related risks should be considered holistically, rather than discretely and should be considered at the enterprise level. Each individual risk should be assessed by itself and how it impacts other risks. (§ 4.3 ¶ 3, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The risk factors that are associated with each application control should be defined by the auditors. This definition should include the key application controls; the application controls' design effectiveness; developed or pre-packaged applications or databases; how many critical business processes… (§ 3 (Application Control: Risk Assessment Approach), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as risk ratings used (e.g., aligned with risk ratings used for other types of business risk). (SI.02.02.04b, The Standard of Good Practice for Information Security)
  • Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as risk ratings used (e.g., aligned with risk ratings used for other types of business risk). (SI.02.02.04b, The Standard of Good Practice for Information Security, 2013)
  • Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks. (GRC-02, Cloud Controls Matrix, v4.0)
  • Assessment of Risks. The organization should identify and assess the risks to which the IT system and its assets are exposed, in order to identify and select appropriate and justified security safeguards. Risks are a function of the values of the assets at risk, the likelihood of threats occurring t… (¶ 9.3.7, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The organization shall establish and maintain a risk profile, that includes the Risk Management context, risk threshold, the probability of each risk, the consequences of a risk, and the priority of each risk. (§ 6.3.4.3(b)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Organizations should implement a risk-based approach to identifying, assessing, and understanding the AI risks to which they are exposed and take appropriate treatment measures according to the level of risk. The success of the overall AI risk management process of an organization relies on the iden… (§ 6.1 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • The auditor should determine if the control environment elements have been implemented by obtaining evidence based on inquiries and other risk assessment procedures. (§ 314.72, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Because each system and the environment in which it operates are unique, the combination of risks that would prevent a service organization from achieving its service commitments and system requirements, and the controls necessary to address those risks, will be unique in each SOC 2 examination. Man… (¶ 1.52, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Identifying and assessing risks that could prevent the service organization from achieving its service commitments and system requirements (¶ 2.05 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for having a reasonable basis for asserting that (a) the description of the service organization's system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable a… (¶ 2.04, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Identifying the risks that threaten the service organization's achievement of its service commitments and system requirements stated in the description (¶ 2.32 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in paragraph 2.58, service organization management would usually be unable to make an assertion about the suitability of design and, in a type 2 engagement, operating effectiveness of controls without first having performed a risk assessment. The risk assessment enables management to id… (¶ 2.117, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Identifying the risks that threaten the achievement of the service organization's service commitments and system requirements (¶ 2.142 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor's risk assessment procedures begin with the identification and assessment of inherent risks that may affect the description of the system, suitability of design of controls, and in a type 2 examination, the operating effectiveness of controls. This guide uses inherent risk to ref… (¶ 2.129, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Identifying and analyzing risks that could prevent the service organization from achieving its service commitments and system requirements (¶ 2.191 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Suitably designed controls, if implemented and operating effectively, provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria. Suitably designed controls operate as designed by persons who have t… (¶ 3.91, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Ongoing monitoring that identifies and evaluates changes in risk and periodic updates to the risk profile assessment. (App A Objective 2:8b Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the institution's risk management program facilitates effective risk identification and measurement and provides support for risk decisions within ITRM. (App A Objective 7, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Identify risks and threats from both internal and external sources. (App A Objective 7:4 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether IT management participates in the enterprise-wide risk management process to identify and measure risk from the use of IT, support decisions on how to mitigate the risks, implement the mitigation decisions, and monitor and report on the resulting outcomes. (App A Objective 8:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution has a risk management program and whether the program includes an integrated approach for enterprise-wide risk management, including identification, measurement, mitigation, monitoring, and reporting of risk. If applicable, determine whether the structure conforms t… (App A Objective 7:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The risk assessment should identify the organization's data, applications, operating systems, technology, facilities, personnel, business activities, and business processes. (Pg 15, Exam Tier II Obj D.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should gather data from system inventories, strategic plans, continuity plans, the monitoring of service providers, audit findings, self-assessments, and call center tracking reports to aid in the development of a formal risk assessment. (Pg 22, FFIEC IT Examination Handbook - Management)
  • Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to: ▪ Functions outsourced; ▪ Service providers, including, where appropriate, unique risks inherent in foreign-based service provider arrangements; and ▪ Technology used. (Exam Tier I Obj 2.1, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • An initial risk profile should be developed by the examiners for each service provider based on information gathered during the examination and from reports from other external audits. (Pg 3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The following system-related information must be collected by the person(s) conducting the risk assessment: interfaces, software, hardware, mission, data sensitivity, data criticality, data, information, and persons who use and support the system. Additional information relating to the operational e… (§ 3.1.1, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)
  • The organization should identify all risks to the systems. The specific information the risks affect and how the risks occur should be documented. The impact of the risk on the system should be determined. (Pg 31, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • The assessment of the controls should be documented and should contain the following: a list of the members of the senior assessment team; the assessment methodology; the tests and results of the tests; any communications with management or employees; if contractors are used, the contracting agreeme… (§ App A § IV.B, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Agencies must maintain a risk profile. The primary purpose of a risk profile is to provide a thoughtful analysis of the risks an Agency faces toward achieving its strategic objectives arising from its activities and operations, and to identify appropriate options for addressing significant risks. Th… (Section II (B) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Inherent Risk Assessment (Section II (B) ¶ 3 Bullet 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Current Risk Response (Section II (B) ¶ 3 Bullet 4, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Proposed Risk Response (Section II (B) ¶ 3 Bullet 6, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • After initial implementation, the agency's risk profile must be discussed each year with OMB as a component of the summary of findings from the Agency strategic review and FedSTAT (See OMB Circular No. A-11, Section 270). For those objectives for which formal internal control activities have been id… (Section II (C) ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Assessing risk is the next critical step in building the Agency's risk profile, which includes three important principles: (Section II (B2) ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Each control has risk associated with it. Some of the factors that affect the amount of risk are the nature of misstatements the control is preventing or detecting; whether or not the account has a history of errors; the effectiveness of the controls; the frequency that the control operates; the deg… (¶ 47, ¶ 62, PCAOB Auditing Standard No. 5)