1. Home
  2. Why Risk-based Auditing scores?

Why Risk-based Auditing scores?

  •  BY
  •  In
  •  Dec 12, 2013
  •  822
  •  0

Incorporating a Risk-based Auditing system is an effective solution for implementations of business critical IT systems.

Choosing the right business critical IT systems that will meet an organisations business requirements is the first and most important decision towards accomplishing successful implementation; closely followed by the choice of the System Integrator or Implementer.

During the implementation, organisations face several significant challenges or tasks which they need to overcome. These include the reengineering of the current business processes, reconfiguration of existing controls, adoption of the new business processes and new internal controls. Hence the need to integrate a Risk-based Auditing management system is recognised as one of the keys to successful implementations of business critical IT systems.

The focus here is on the best practices which need to be followed for Risk-based Auditing during the implementation cycle.

In a typical implementation cycle, the Project Management Office (PMO) is engaged or responsible for the risk assessment processes. The most common risk management standards used by the PMO are ISO 31000:2009 and Enterprise Risk Management Integrated Framework (COSO ERM).

The PMO has the most obvious risk to assess whether the project is ready to go live. Apart from this there are several other risks which need to be mitigated for successful implementation. Some examples are:

  • Compliance with industry regulations such as BASEL II, PCI DSS, HIPAA, etc.
  • Compliance with various national, state and local data security and privacy laws.
  • Risk that business requirements will not be fulfilled during the implementation.
  • Risk that business requirements are not properly confirmed during the testing process.
  • Risk of delay and budget overshooting during the implementation.
  • Stability of the application, such as when and how the patches are applied and its business impact.
  • Internal and external security systems.

Every organisation does not have the same degree of risk appetite and risk mitigating controls. The PMO has its own limitations in the form of expert manpower and time, to mitigate all the risks which arise out of such huge business critical implementation projects.

How can the PMO effectively identify and manage risk in such business critical implementations? The answer is to have a Risk Advisor/Auditor who will provide vital inputs with corrective actions at the critical stages of the implementation, to the PMO.

The three suggested approaches are:

Option 1: Implementer providing the Risk-based Auditing services

The organisation must make sure that it gets qualified resources for both the implementation and the Risk-based Auditing services.

Pros:

  • Project Planning is well integrated and more seamless as both the services are provided by a single entity.
  • Resources are well managed since there are lesser coordination and conflict efforts involved.

Cons:


  • Independence     and objectivity of the auditing function is eliminated.
  • Inherent conflict of interest between the implementation staff and the auditing staff on achieving on time and on budget can lead to quality issues and risks left unaddressed and unidentified.

Option 2: Organisations audit firm providing Risk-based Auditing services

This is one of the common approaches followed.

Pros:

  • An independent review (from Implementer) of the project status, deliverables and results are obtained and will protect the organisation from facing any issues from their stakeholders against any critical decision made during the implementation.
  • As they are already aware of the existing processes and controls, the design of the new processes and controls, and acceptance of the same is easier.

Cons:

  • The skill sets and experience of the consultants in the implementation or in use of the application might not be adequate.

Option 3: Independent firm providing Risk-based Auditing services

This is one of the most professional approaches.

Pros:

  • The consultants are focused and experienced, and experts in their respective domain.
  • An independent review in the true sense is achieved without a bias towards any firm or stakeholder.

Cons:

  • The brand credibility needs to be verified before appointing the same.
  • ROI needs to be evaluated and approved as it is a costly affair.

Irrespective of the approaches, the key issue is the type of services offered and selection of the required services for an organisation. The services on offer include:

Complete Risk Assessment Services: The Risk Advisor/Auditor needs to be involved at all stages of the implementation, right from the design phase to the go-live phase of the project. A well-defined risk assessment programme needs to be in place before the commencement of the project as it helps the PMO identify strategic and tactical risks at the right time, with the appropriate controls to mitigate the risks arising.

Specific Risk Assessment Services: These services are specially tailored to meet the specific demand of the PMO in which they want to identify and mitigate specific risks, rather than a complete risk assessment package. The common services available are:

  • Internal Controls Design targeted to the design of internal controls.
  • Business Process Design targeted towards the design of the to-be new business process and its alignment to the to-be internal controls.
  • Software Configuration & Change Management targeted to the initial configuration of the application as per the designed business processes and internal controls and also the design of the change management process to comply with the best practices.
  • Security Role Definitions & Assignment targeted towards the definition of the roles and the security of the application to achieve the integrity of the systems business processes and applications.
  • Testing targeted towards Final User Acceptance Testing Results to confirm the readiness of the system.
  • Controls Related Software targeted towards analysing the need of the third-party software to identify any segregation of duties issues, audit trail and overcome the common deficiencies of the system.
  • Go-Live Readiness Assessment this is the combination of the software configuration and change management, security role definitions and assessment and testing, and is done just to check out the go-live readiness of the system.

An organisation has a majority of their eggs in a single basket ranging from investments made for the brand image perceived in the market while implementing business critical systems, with an expectation that the new system to be implemented will meet their business objectives and control objectives, and will catapult their organisation into the magic quadrant. Risk-based Auditing services can definitely play a quality assurance role for the implementation.

The author is Manager IT, Mettler-Toledo India Pvt Ltd.

Обувь


Add new comment