Bizcoach, Small Business Ideas and Resources for Starting a Small Business

Developing an IS Risk Assessment Process

This is a case study, first appearing in the ISACA Journal in 1996, about developing an IS risk assessment process that integrates well with the rest of the business process. The same principle applies whether developing an IS risk model or a general business risk model: Base the model on the current and future business process.

A few years ago, a financial services company formed an internal audit group to assist management with the evaluation of internal control. Within two years, the Internal Audit Director realized that information systems auditing was an important part missing from the current internal audit function. Information systems is an important part of their business, and yet there was no audit coverage. The Internal Audit Director decided to develop a long range IS audit planning project that included an update to the audit universe and a risk model to define the annual IS audit schedule.

The company already had an audit universe and risk model for audit topics other than information systems audits. The project had to develop an effective system for IS audits that could be integrated with the existing process. Key success factors to this project were:

Integrating the results with the existing internal audit process.

Understanding the Business through Structures

A network that was forever expanding to keep up with the constant pressure of rapid growth was the main process that tied the organization together.  A Wide Area Network spanned the USA with numerous sites, and each major site had its own Local Area Network.   The headquarters LAN included hundreds of desktop computers running standard business applications in a Novell environment.  Analyzing the structure of the information systems, we determined that the structure was complicated, but not complex.  Our analysis revealed information about the major structures of the business and how information systems supported the company.  We discussed our findings with the information systems management to test our understanding of the system structure and operation.

Understanding the Business through the People

In order to understand more about the business and how the business used information systems currently and in the future, we interviewed major stakeholders in operations, finance and information systems.  In addition, we interviewed a cross-section of users from officers to accounting clerks and from advanced users to novices.  In addition to understanding what the business was trying to accomplish, we also got a good sense about how employees did business with its customers.

Two people conducted the interviews:  one person asked most of the questions, while the second person took notes and observed the process for what was left unsaid.  The interviews were structured; that is, the questions were written out in advance.  Using structured interviews would allow us to summarize responses more easily into general statements.  Our questionnaire concluded with an open-ended question designed to uncover possible problem areas or unfilled current and future user needs:

"If you had unlimited funds to spend on IS projects, what would you buy?"

Interestingly enough, most people said they would hire more people with the right skills.

We interviewed some people by themselves, and at other times we interviewed a small focus group.  Small focus groups produced the richest data.   People in focus groups would stimulate each others' thinking during the question-and-answer phase.  Nearly thirty people were asked about their business operation, the role of information systems in their portion of the business, and the possible requirements of information systems and services for future business operations.

Over a period of a few days a picture of the management culture at the company began to emerge. The management culture relied heavily on people who believed in:

More Business Risk Management Info: