•;Because IT can be pervasive, consider risks
from a multidisciplinary perspective. For
example, risks can relate to network security,
Automated Clearing House and item processing,
ATM management, Internet banking, and core
processing system security.
A risk assessment process should always be
created and performed with repeatability in
mind. Risk assessments should be updated
periodically, and the results should be reported
to those charged with governance and to other
stakeholders prior to making key system changes,
implementing new products or services, or
confronting new external conditions that would
affect the risk analysis.
While several risk assessment formats are
acceptable, many institutions use a spreadsheet
that identifies information assets or IT system
components as the key set of data. Identified
risks, threats, and vulnerabilities, as well as a
consideration of key controls and residual risk,
are then mapped to this spreadsheet.
The output of an IT risk assessment process
needs to be considered to make effective
decisions. Identifying the areas with the highest
levels of unacceptable risk can effectively inform
an organization on how to invest resources—
including personnel time and efforts. Institutions
that can take advantage of risk assessments to
make business decisions will be better positioned
than peers who make resource decisions without
adequately considering risk.
David Dyk has over 10 years of experience providing
internal audit, information security, management
consulting, and IT governance services to financial
institutions and other enterprises.
The material appearing in this communication is for informational purposes only and should not be construed as legal, accounting, or tax advice or opinion provided by Moss Adams LLP.
This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials
have been prepared by professionals, the user should not substitute these materials for professional services and should seek advice from an independent advisor before acting on any
information presented. Moss Adams LLP assumes no obligation to provide notification of changes in tax laws or other factors that could affect the information provided.