Information Systems Risk Management in Uganda ISACA Kampala Chapter Presentation by Mugabi Joseph, CISA, CRISC. Tuesday, May 31, 2011.

Lay Out of the Presentation What is Information Systems Risk Management (ISRM)? What are the objectives of ISRM? The Internal Perspective-The IS Auditors’ Audit Risks. The External Perspective-The IS Auditors’ Clients’ Risks. The IS Audit/Assurance Cycle. ISACA IT Audit and Assurance Standards and Guideline on ISRM Best Practice. Selection of a Risk Assessment Methodology Current Uganda ISRM practices. Challenges of Managing ISRM Risks Summary of the IS Auditor’s roles in regards to ISRM. Roles the IS Auditor should NOT undertake. References. Conclusion. Lay Out of the Presentation

What is Information Systems Risk Management (ISRM) IS are the combination of strategic, managerial and operational activities involved in the gathering, recording, processing, storage, distributing, and use of information and its related technologies. Risk is the possibility of an act or event occurring that would have an adverse effect on the organization and its information systems. Risk—In business, the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss and/or damage to the assets; usually measured by a combination of impact and probability/likelihood of occurrence (COBIT4.1). What is Information Systems Risk Management (ISRM)

What is Information Systems Risk Management (ISRM)-Cont’d Risk is the combination of the likelihood of events occurring and the impact those events have on the organization either opportunities for benefit (upside) or threats to success (downside).-CRISC. Risk management is the coordinated activities to direct and control an organization with regard to risk (ISACA Glossary). Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level (NIST-USA).

What is Information Systems Risk Management (ISRM)-Cont’d Risk Appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission Risk Tolerance is the acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives Risk Response are the approaches an organization makes in dealing with the identified and ranked risks viz. avoidance, acceptance, transfer or mitigation .

What is Information Systems Risk Management (ISRM)-Cont’d The COSO Enterprise Risk Management (ERM)-is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework . The eight components are: Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication and Monitoring. The four objectives categories are :- Strategy - high-level goals, aligned with and supporting the organization's mission Operations - effective and efficient use of resources Financial Reporting - reliability of operational and financial reporting Compliance - compliance with applicable laws and regulations.

What are the Objectives of ISRM? To secure the organization and its IS assets. To enable the organization to accomplish its mission and vision. To enable management to make well-informed risk management decisions to justify the organization’s expenditures that is part of an IS budget.  To optimize the assignment of IS audit resources through a comprehensive understanding of the organization’s IS environment, audit universe and the risks associated with each auditable universe unit; so as to maximize benefits.  Use the risk based audit approach in audit and assurance work; direct more resources to high business risk areas and add value continuously.

The Internal Perspective: The IS Auditor’s Risks Audit risk is the risk of the IS auditor reaching an incorrect conclusion based upon audit findings. Threefold:- Inherent risk is the susceptibility of an audit area to error in a way that could be material, individually or in combination with other errors, assuming that there were no related internal controls. E.g complex IS. Control risk is the risk that an error that could occur in an audit area and could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system .e,g. not-updated anti-virus. Detection risk is the risk that the IS auditor’s substantive procedures will not detect an error that could be material, individually or in combination with other errors.e.g. Lack of BCP, DRP, logs not reviewed.

The External Perspective: The IS Auditors’ Clients’ Risks Ineffective Information security Inadequate Disaster recovery/business Plans. Inadequate Vulnerability Management.  Non-Compliance with regulations and policies. Lack of Organization ISRM governance. Mobile device mismanagement Cloud computing safety and security concerns over data

The IS Audit/Assurance Cycle 21 September 2018 Information Sytems Risk Management in Uganda

ISACA IT Audit and Assurance Standards and Guidelines on ISRM Best practice The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit plan and in determining priorities for the effective allocation of IS audit resources. When planning individual reviews, the IS auditor should identify and assess risks relevant to the area under review. Risk assessment is a technique used to examine auditable units in the IS audit universe and select areas for review to include in the IS annual plan that have the greatest risk exposure .  An auditable unit is defined as a discrete segment of every organization and its systems.

ISACA IT Audit and Assurance Standards and Guidelines on ISRM Best practice Cont’d Determination of the IS audit universe should be based on knowledge of the organization's IT strategic plan, objectives, its operations and discussions with responsible management. The use of risk assessment in the selection of audit projects allows the IS auditor to quantify and justify the amount of IS audit resources needed to complete the IS audit plan or a particular review. The IS auditor can prioritize scheduled reviews based on perceptions of risk and contribute towards the documentation of risk management frameworks (Updated Risk Register Template 2003.xls ).

ISACA IT Audit and Assurance Standards and Guidelines on ISRM Best practice Cont’d An IS auditor should carry out a preliminary assessment of the risks relevant to the area under review. IS audit engagement objectives for each specific review should reflect the results of such a risk assessment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s control objectives and associated management practices.

Selection of a Risk Assessment Methodology Judgmental-IS Auditor ranks risk as high, medium or low subjectively. Analytical-numeric risk ranking for high, medium or low. e,.g Pentana system In deciding which is the most appropriate risk assessment methodology, IS auditors should consider issues such as: Type of information required to be collected (some systems use financial effects as the only measure—this is not always appropriate for IS audits); cost of software or other licenses required to use the methodology; availability of information.

Risk Assessment Measurement-Manual Auditable Unit Audit Risk Ranking (1-10); Low to High Business Risk Ranking (1-3) Weighted Total Risk Ranking Criticality of system/business/customer loyalty LAN Users of the system Procurement Business Continuity Plans Disaster Recovery Plans Payables Project Budget Prior Audit Findings Region/Branch/ Offices

Risk Assessment Measurement-ICT System

Current Uganda ISRM practices. Organizations undertake ISRM with guidance of:- Laws; Regulations; Guidelines Policies; Procedures Credit reference bureau, Know Your Employee (KYE); Know Your Customer (KYC)-in banking sector; Stakeholders are:- Government regulatory entities, ministries, agencies, parastatals, projects. Private sector/businesses-KPIs and staff appraisal rating tool; open communication on risk. NGOs and project log-frames. Risk committees, Risk directors, Risk officers, group meetings

Challenges of Managing ISRM Risks Many organizations do not understand that they are also in the business of managing their business risks, from the boardroom to management commitment to the data network. Everybody by default is a risk manager. ISRM risk management is a very difficult endeavor because risk variables can often interact in complex and elusive ways.  Lack of management understanding of what the organization’s key IS risks are.  Lack of defined/enabling laws, standards or principles for risk management in organizations; delay in passing AML bill.  Loss of efficiency and effectivity in risk management processes through silos.  Poor funding and staffing for risk management purposes.

Summary of the IS Auditor’s roles in regards to ISRM Giving assurance on the IS risk management processes. Giving assurance that risks are correctly evaluated. Evaluating risk management processes. Evaluating the reporting of key risks. Reviewing the management of key risks.

Roles the IS Auditor should NOT undertake Setting the risk appetite; Imposing risk management processes; Management assurance on risks; Taking decisions on risk responses; Implementing risk responses on management’s behalf; Accountability for risk management.

References www.isaca.org/glossary Top Business/Technology Issues Survey Results 2011, ISACA. www.coso.org/documents/COSO_ERM. IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals, ISACA, August 2010. Control Objectives for Information and related Technology (COBIT®) 4.1, ITGI, 2007; www.itgi.org. www.sepiasolutions.net/Software/Pentana.html CRISC Review Manual, 2011.

Conclusion  IS risk management is a fundamental element of corporate/organizational governance with the tone set at the top. Management is responsible for establishing and operating the risk management framework on behalf of the board. IS Auditor’s core role is to provide continuous assurance to management and to the board on the effectiveness of the IS risk management. Critical noting that information and the technology systems that support it represent the organization’s most valuable assets. Business requires satisfaction in the areas of effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability of information assets to meet business objectives.