Risk Scoring System
A successful risk-based IT audit program can be based on an effective scoring system.Scoring refers to any consistent means of quantifying and then comparing distinct items based on elements that they have in common. All risk-based systems require some means to rank greater or lesser risk, or risk factors. Consequently, many risk-based systems rely on some means of scoring in their implementation. In establishing a scoring system, the board of directors and management should ensure the system is understandable, considers all relevant risk factors, and, to the extent possible, avoids subjectivity. Major risk factors commonly used in scoring systems include the following:
- The adequacy of internal controls;
- The nature of transactions (for example, the number and dollar volumes and the complexity);
- The age of the system or application;
- The nature of the operating environment (for example, changes in volume, degree of system and reporting centralization, sensitivity of resident or processed data, the impact on critical business processes, potential financial impact, planned conversions, and economic and regulatory environment);
- The physical and logical security of information, equipment, and premises;
- The adequacy of operating management oversight and monitoring;
- Previous regulatory and audit results and management's responsiveness in addressing issues;
- Human resources, including the experience of management and staff, turnover, technical competence, management's succession plan, and the degree of delegation; and
- Senior management oversight.
Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee or the board of directors. The sophistication and formality of guidelines will vary for individual institutions depending on their size, complexity, scope of activities, geographic diversity, and various technologies used. The institution can rely on standard industry practice or on its own experiences to define risk scoring. Auditors should use the guidelines to grade or assess major risk areas and to define the range of scores or assessments (e.g., groupings such as low, medium, and high risk or a numerical sequence such as 1 through 5).
The written risk assessment guidelines should specify the following elements:
- A maximum length for audit cycles based on the risk scores. (For example, some institutions set audit cycles at 12 months or less for high-risk areas, 24 months or less for medium-risk areas, and up to 36 months for low-risk areas. Audit cycles should not be open-ended.);
- The timing of risk assessments for each department or activity. (Normally risks are assessed annually, but more frequent assessments may be needed if the institution experiences rapid growth or significant change in operation or activities.);
- Documentation requirements to support scoring decisions; and
- Guidelines for overriding risk assessments in special cases and the circumstances under which they can be overridden. (For example, the guidelines should define who can override assessments, and how the override is approved, reported and documented.)
Numerous industry groups offer resources where institutions can obtain matrices, models, or additional information on risk assessments. Among these groups are: ISACA, American Bankers Association (ABA), American Institute of Certified Public Accountants (AICPA), and IIA. Day-to-day management of the risk-based audit program rests with the internal audit manager, who monitors the audit scope and risk assessments to ensure that audit coverage remains adequate. The internal audit manager also prepares reports showing the risk rating, planned scope, and audit cycle for each area. The audit manager should confirm the risk assessment system's reliability at least annually or whenever significant changes occur within a department or function. Operating department managers and auditors should work together in evaluating the risk in all departments and functions by reviewing risk assessments to determine their reasonableness.
Auditors should periodically review the results of internal control processes and analyze financial or operational data for any impact on a risk assessment or scoring. Accordingly, operating management should be required to keep auditors up to date on all major changes in departments or functions, such as the introduction of a new product, implementation of a new system, application conversions, or significant changes in organization or staff.
Audit Participation in Application Development, Acquisition, Conversions, and Testing