A risk-based approach to internal audit planning

(With thanks to Chris Baker, Technical Director, Institute of Internal Auditors)

Changing risk profile

The head of internal audit needs to know whether anything has changed in the risk profile of the organisation to create the desire for the audit. Since management is responsible for managing risks, the head of internal audit will discuss with the management responsible for the information security risks their assessment of the effect of the recent events on the organisation’s risk profile

The considerations to take into account relate to the evaluation of the risks and of the responses that management believes are in place to address these risks. They include:

1. The size of a risk depends on the impact on the organisation if the risk event crystallises and the likelihood that it will crystallise. The evaluation of the size may therefore have changed because:

  • The projected impact of losing personal data may now be thought to be higher than before because the damage to reputation could be greater given the publicity and public interest in the issue, and the potential sanction demanded by the data protection regulators may be higher than before
  • It is possible that the likelihood of this happening might be changed – perhaps there will be increased interest of external parties in trying to force an incident or perhaps managers have decided immediately to follow the actions of HM Customs and Revenue, to remove the drive bays and connections ports and thus to terminate the possibility of moving any data onto digital media
  • The actual effectiveness of existing responses to the risk may change – e.g staff may be more sensitive to the risk as a result of the publicity.
  • The perceived effectiveness of responses to the risk may also change – managers may have been relying on technical access controls to protect access to confidential data, not taking into account the vulnerabilities related to transferring data outside the organisation

All of these may change the relative priority of data security issues and the appropriate treatment in the internal audit plan Source of assurance and skills available to internal audit. The internal audit plan will take into account not only the risk analysis but also those areas on which those responsible for governance want the independent and objective assurance that internal audit can offer as well as the skills available to internal audit to provide that assurance

Given the greater focus on data security issues, senior management and the board may feel a need for more independent and objective assurance. This would be a reason for including a new project in the internal audit plan

However, the head of internal audit may be able to minimise the work to be done by internal audit by reviewing the work being done by other assurance sources. Internal audit can assist the organisation by helping senior management and the audit committee to understand all the monitoring and assurance activities that the organisation undertakes and by providing a bridge between the data security specialists and the audit committee, if one is needed

Although in an ideal world, all internal audit activities will have the skills necessary to address data security issues, it may still be the case that some organisations do not have those skills available. The head of internal audit will have reported this to those responsible for governance and obtained their approval of the implications – that certain assurances could not be provided. Given the changes in the perceptions of data security issues, this may no longer be acceptable. In that case, the head of internal audit will be required to identify and source skilled resources from elsewhere

This entry was posted in Auditing, Risk & Assurance and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *