Professional Documents
Culture Documents
Risk Assessment Issues
Risk Assessment Issues
May 2013 Risk Assessment Issues Common Shortcomings Noted in Risk Assessments Related to IT Outsourced Ser ice !ro iders Risk areas are not #ormally considered' Most commonly( strategic risk( systemic risk( e)it strategy risk( and counter$arty risk *ill %e missing altogether #rom the risk assessment documentation' "usti#ication Ty$ically !ro ided %y Management Management *ill argue that such risks are not re+uired to %e considered #ormally %ecause, The organi.ation has %een *ith the same IT ser ice $ro ider #or many years' The IT ser ice $ro ider has a strong re$utation' There are clauses in the original contract or ser ice le el agreement /S0A1 that $rotect the organi.ation %y de#ining a$$lica%le $enalties i# ser ice le els are not met %y the endor' !ossi%le Res$onses &rom the Internal Auditor
3 en #or signi#icant risk areas( management may not ha e any controls in $lace( es$ecially in relation to IT ser ice $ro iders' Management may document
Management may argue that it does not ha e ade+uate skilled $ersonnel to monitor the outsourced ser ice $ro ider( there#ore it has not im$lemented any controls'
The internal auditor should challenge management and insist that all areas %e #ormally considered and documented' The auditor can cite e)am$les o# ma2or telecommunication ser ice $ro iders that are #acing challenges in deli ering ser ices to their customers' Also( the auditor can sho* statistics o# ho* many contracts are terminated early due to $oor ser ice deli ery' The auditor should insist that management #ormally document *here it %elie es the S0A or contract #ully sa#eguards the com$any #rom risks' Once management has #ormally documented all risk areas( it may reali.e that it should im$lement #urther controls or make changes to the e)isting S0A or contract *ith the ser ice $ro ider' Internal auditors should not acce$t management4s 2usti#ication *ithout a thorough analysis' I#( in #act( management does not ha e ade+uate skills to monitor the
Management may state that the reason to outsource the IT $rocess or #unction *as that e)ecuti es do not ha e the e)$ertise'
ser ice $ro ider at all( the auditor should insist that management consider in ol ing third5$arty auditors to $er#orm such audits'
Management u$dates the current5year risk assessment documentation %ased on $rior5year risk assessments'
Many IT ser ice $ro iders ha e an audit $er#ormed %y an inde$endent e)ternal auditor on an annual %asis' The e)ternal auditor may $er#orm the audit and re$ort results %y #ollo*ing one o# t*o ser ice organi.ation re$orting standards( Statement on Standards #or Attestation 3ngagements No' 16( issued %y the American Institute o# Certi#ied !u%lic Accountants( and International Standard on Assurance 3ngagements No' 3702( issued %y the International &ederation o# Accountants' Alternati ely( management could re+uest the ser ice $ro ider esta%lish an inde$endent com$liance or internal audit #unction( *hich *ould re$ort to management $eriodically' This may in ol e changing the original contract or S0A *ith the ser ice $ro ider and could result in im$lementing controls to mitigate risk areas' Management may argue that Internal auditors should no signi#icant changes ha e remind management that occurred in the organi.ation4s risks can arise not only due to en ironment( there#ore no changes at its o*n u$dates to the risk assessment organi.ation %ut also due to ha e %een made' changes at the ser ice $ro ider /e'g'( #inancial( Another common argument strategic( $ersonnel8sta##ing1'
management might $resent is that %ecause com$onents( s$eci#ications( or con#iguration o# the outsourced IT en ironment ha e remain unchanged( no u$date to the IT risk assessment has %een $er#ormed'
Internal auditors also should educate management that e en i# s$eci#ication( con#iguration( or com$onents o# the outsourced IT en ironment ha e remain unchanged( changes in sta##( $rocesses( or $olicies at the ser ice $ro ider can introduce ne* risks that should %e assessed' The auditor should eri#y *hether any signi#icant changes at the ser ice $ro ider ha e occurred that could im$act the conclusions reached in the risk assessment'
Internal Auditor 279 Maitland A e( Altamonte S$rings &lorida( 32901 Tel' 123 ***'internalauditoronline'org