Scribd Logo
Upload

Welcome to Scribd!

  • Section 3: Appendix: 1. Audit Checklist: Risk Management Process

    Uploaded by

    pgupta101
    48 views3 pages
    Risk based audit check list.

    Original Title

    Risk Mgmt Chklst

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Risk based audit check list.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    48 views3 pages

    Section 3: Appendix: 1. Audit Checklist: Risk Management Process

    Uploaded by

    pgupta101
    Risk based audit check list.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Module 4

    SECTION 3: APPENDIX
    This section contains few checklist that might be useful for IS auditors while performing audit of
    different areas discussed in this module. Please note that contents of this section are for
    information and may not be complete in all respects. Auditors must pick and choose the different
    sections from these checklist while conducting audit and modify suitably as per the requirements
    and scope of audit.

    1. Audit Checklist: Risk Management Process


    Below are some of the suggested criteria and procedures for conducting an audit of risk
    management. The auditor's primary role is to ascertain whether the methods and procedures used
    were appropriate and conform to the policies and guidelines which make up the organization’s
    approach to risk management. The auditor's secondary role is to ensure that any identified
    deficiencies are dealt with and that follow-ups are made.

    Sl. Section Control Objective Audit Procedure


    No.
    1 Risk Management Organization must have a Review Risk policies for common
    framework risk management policy terminology, Risk response
    and framework that options and definition of risk and
    guides users in risk control owners
    identification and Understand risk management
    assessment process and framework.
    Interview managers that they
    understand the terminology,
    process and framework.
    Review risk register and its
    updating process.
    Interview senior management to
    understand risk appetite and risk
    tolerance levels.
    2 Risk Identification Management understands Check whether all managers are
    the risk identification aware of the key risks to the
    concept and has identified organization and / or their
    key risks. function
    Assess the depth of the
    manager's understanding of the
    risk identification process based
    on his or her awareness.

    1
    Section 3

    Verify that managers have


    assessed the key risks to the
    organization.
    Assess the completeness and
    accuracy of the risk assessment.
    3 Risk Mitigation Management has Verify that management has
    performed valid risk documented risk assessments for
    assessments. each of the significant risks
    identified.
    Management has Verify that management has
    selected and developed a series of risk-
    implemented cost- minimization, cost-effective
    effective risk control options.
    measures.
    As a result of Assess whether the control
    implementing control measures introduced have
    measures, the overall risk managed the threat from the
    to the organization has threats, as intended.
    declined.
    4 Risk Monitoring Investigate incidents, Review the root cause of incident
    changes, acquisitions, and ensure updating of risk
    Projects and verify that register
    the management has Review changes and acquisitions
    reviewed risk associated and their linkage to risk registers
    with root cause and risk during assessment of impact due
    register is updated. to change.
    Review project risk management
    process.
    5 Risk register Review risk register to Verify that there is a clear and
    contain risk identification, comprehensive procedure for
    Risk response risk owner, recording, filing, maintaining and
    controls implemented. reporting on data sources, risk
    register
    Determine whether procedures
    associated with risk management
    activities are carried out
    Assess whether all occurrences
    of risk-related incidents have
    been reported.

    6 Risk review Ensure risk review Review risk register for updating
    process is in place and after risk review.
    Module 4

    risk review happens Interview risk owners to confirm


    periodically for they have followed the review
    reassessment of identified process.
    risks and assessment of
    new risks
    7 Control Controls should be Check controls selected and
    identification identified based on the implemented are against
    risk assessment. The cost identified risk.
    benefit analysis for Review the cost-benefit analysis
    selected controls must be (qualitative or quantitative) for
    performed. implemented controls against
    total impact/exposure of risk

    You might also like