June 4, 2020

Show Me How your Audit Plan is Risk-based – WST

Recently, we have fielded a few questions from financial clients on an examiner request: “Show your IT audit risk assessment with details of scope and frequency.”  What the examiner is really asking is “Show me how your audit plan is risk-based.”  The good news is that you are probably doing everything you need to be doing, you may just not know how to answer to the question.

In a risk-based audit plan, risk assessments are used to determine audit scope and frequency.  Does your audit plan contain the following elements?

  • A risk assessment process to describe and analyze inherent risk to IT and information security assets.  The risk assessment process should utilize a scoring system that considers relevant risk factors, and to the extent possible, avoids subjectivity.  The risk assessment should be updated at least annually, or more frequently to reflect changes such as new processes, new infrastructure, new public facing services, security incident or breach, mergers & acquisitions, etc.
  • An audit cycle where the risk assessment is the driving factor for determining the frequency of audits.  In your audit plan, define audit frequency based on risk scoring – for example, areas with an inherent high-risk score are typically audited annually, and moderate-risk issues might be every other year.  Areas with an inherent critical-risk score, such as social engineering awareness, might be audited or tested at least annually, or even more frequently.  As noted above, major changes or other events could trigger out-of-schedule audits or testing, and your plan should note this.

Wireless network access is a good example of a function or service where the risk assessment process can be used to determine audit scope and frequency.  If an institution implemented a guest wireless network that doesn’t have access to production resources, the risk assessment would likely result in a low inherent risk for this area, and wireless access might not be included in much or any auditing or testing.  What if the production network was wirelessly accessible?  That would arguably result in a high-risk rating, triggering annual testing as defined by your schedule.

The extent of audit planning required depends on size and complexity of your institution.  Audit programs may range from “We just audit everything annually,” to the use of detailed enterprise-wide risk management programs at larger institutions where audit scope and frequency is much more granular.  For smaller institutions, an annual IT audit, penetration test, internal and external vulnerability assessments, and social engineering test will likely cover your needs by testing relevant controls on your risk assessment.

If you follow the process as described above, you will be able to confidently answer the “Show me how your audit plan is risk-based” question.  As usual, we have example risk-based audit plan verbiage if you need a place to start.  Ask us for it!

Past Weekly Security Tips – WST