Moss Adams Insights - Winter 2012

•;Because IT can be pervasive, consider risks from a multidisciplinary perspective. For example, risks can relate to network security, Automated Clearing House and item processing, ATM management, Internet banking, and core processing system security.

A risk assessment process should always be created and performed with repeatability in mind. Risk assessments should be updated periodically, and the results should be reported to those charged with governance and to other stakeholders prior to making key system changes, implementing new products or services, or confronting new external conditions that would affect the risk analysis.

While several risk assessment formats are acceptable, many institutions use a spreadsheet that identifies information assets or IT system components as the key set of data. Identified risks, threats, and vulnerabilities, as well as a consideration of key controls and residual risk, are then mapped to this spreadsheet.

Conclusion

The output of an IT risk assessment process needs to be considered to make effective decisions. Identifying the areas with the highest levels of unacceptable risk can effectively inform an organization on how to invest resources— including personnel time and efforts. Institutions that can take advantage of risk assessments to make business decisions will be better positioned than peers who make resource decisions without adequately considering risk.

David Dyk has over 10 years of experience providing internal audit, information security, management consulting, and IT governance services to financial institutions and other enterprises.

The material appearing in this communication is for informational purposes only and should not be construed as legal, accounting, or tax advice or opinion provided by Moss Adams LLP. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services and should seek advice from an independent advisor before acting on any information presented. Moss Adams LLP assumes no obligation to provide notification of changes in tax laws or other factors that could affect the information provided.