What must the third line of defense do to evaluate the effectiveness of the IT risk management program? Regulators already expect that the first and second lines of defense operate mature IT risk management programs around complex IT systems. Failure to design and manage effective IT risk management functions could result in exposure to material business risk, inadequate prioritization of risk remediation efforts and the excessive cost for IT risk mitigation. This means that the third line of defense must consist of regular internal audit reviews of IT risk management to keep the first and second lines fit and healthy and prevent typical slip ups in the IT risk management program. Alexander Obraztsov, CISA, CISSP, PMP, explores these concepts in his COBIT Focus article, “Five Steps for Effective Auditing of IT Risk Management Using ISACA’s IT Risk Management Audit/Assurance Program.”
IS auditors (who make up the third line of defense) must consider many factors adding complexity to planning and execution of audit projects focused on the IT risk management program. Adapting ISACA’s IT Risk Management Audit/Assurance Program and following a clear 5-step process can help enterprises reach comprehensive audit conclusions, add value and improve the organization. Those steps are:
- Step 1: Prepare by mapping to relevant standards—To avoid the associated compliance risk and potential fines, it is important to verify that mandatory regulatory requirements are not overlooked during the planning phase. Thus, as a first step, IS auditors should map the audit program to relevant industry regulation, standards and guidelines. For example, the requirements of the FFIEC IT Examination Handbook are applicable for the financial industry in the United States. The requirements of the US National Institute for Standards and Technology (NIST) Special Publication 800-37 Rev. 2 Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy and International Organization for Standardization (ISO) ISO 31000—Risk Management are used in the public sector. In many cases though, the ISACA IT Risk Management Audit/Assurance Program can be referenced and will not require a lot of changes. It utilizes both COBIT 5 and COBIT 2019.
- Step 2: Adjust for audit scope and objectives—After aligning the program with industry standards and requirements, further adjustment regarding audit scope and objectives should be considered.
- Step 3: Prioritize controls and align to budget—After confirming relevance and completeness of control objectives, IS auditors may proceed with a preliminary analysis of IT risk management processes by identifying existing controls and potential weaknesses. Assessing inherent and residual risk for each process helps to prioritize the areas requiring the most attention and budget.
- Step 4: Test controls—Testing is the most labor-intensive step. Reviewing the controls around the governance control objective and IT risk management framework control objective from ISACA’s IT Risk Management Audit/Assurance Program, IS auditors should ensure that senior IT and enterprise management and the board of directors (BoD) regularly and routinely consider, monitor and review the IT risk management function and define the organization’s appetite for IT risk.
- Step 5: Consolidate and present results—Once control testing is completed, the IS auditor will have a comprehensive view of the IT risk management program, including its integration into the enterprise resource monitoring (ERM) framework; the overall governance, roles and responsibilities of main contributors; and the level of IT risk appetite within the organization. Opinions can be prepared for each of the tested control objectives, and the auditor may inform management of the reasons for passing/failing the sections, highlight any weak areas and demonstrate potential impacts on the organization.
Interested in exploring these 5 steps presented for auditing IT risk management as part of the third line of defense in more depth? Read Obraztsov’s full article, “Five Steps for Effective Auditing of IT Risk Management Using ISACA’s IT Risk Management Audit/Assurance Program” in COBIT Focus.