Testing
Concept-Risk Assessment
This article contains:
-Simple explanation of risk.
-Steps of risk assessments.
-Clarification on vulnerability &
threat.
-Types of risk.
-Treating risk.
- Question Answer and Explanation (QAE)
on risk assessment concept as per CISA exam pattern.
Simple Explanation of Risk:
You
might know end number of definitions/formulas for Risk. However for CISA
certification, please remember only below mentioned 2 formulas:
In
simple term, risk is product of probability and impact.
Risk=Probability*Impact
Risk=P*I
OR
Risk is
product of asset value, vulnerability and threat.
Risk=A*V*T
Question:
Overall business risk for a
particular threat can be expressed as:
A. a product of the probability and impact.
B. probability of occurrence.
C. magnitude of impact.
D. assumption of the risk assessment team.
(for answer & explanation refer QAE no. 9 )
Steps of Risk Assessment:
Please
note down below steps for risk assessment. Invariably there will be 2 or more
questions on this concept.
-First
step is to identify the assets. (in some cases critical process)
-Second
step is to identify relevant risk. (vulnerability/threat)
-Third
step is to do impact analysis. (qualitative or quantitative)
-Fourth
step is prioritizing the risk on the basis of impact.
-Fifth
step is to evaluate controls.
-Sixth step is to apply appropriate controls.
Question:
IS Auditor identified certain threats and vulnerabilities in a business
process. Next, an IS auditor should:
A. identify stakeholder for that business process.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
(for answer & explanation refer QAE no. 4 )
Clarification on
Vulnerability & Threat:
One of the favorite and most preferred game
of ISACA is to get us confused between the terms ‘vulnerability’ and ‘threat’
during CISA exams. Let us understand basic difference between the two so they
cannot trick us anymore.
What is a threat?
A threat is what we’re
trying to protect against.Our enemy could be Earthquake, Fire, Hackers, Malware, System Failure,
Criminals
and many other
unknown forces. Threats are not in our
control.
What is vulnerability?
Vulnerability is a
weakness or gap in our protection efforts. Vulnerability can be in form of weak coding, missing anti-virus, weak access control and other
related factors. Vulnerabilities can be controlled by us.
Question:
Absence of proper security measures represents a(n):
A. threat.
B. asset.
C. impact.
D.
vulnerability.
(for answer & explanation refer QAE no. 20 )
Types of Risk:
Inherent Risk: The risk
that an activity would pose if no controls or other mitigating factors were in
place (the gross risk or risk before controls).
Residual Risk: The risk
that remains after
controls are
taken into account (the net risk or risk after controls).
Detection Risk: Risk that the
auditors fail to detect a material misstatement in the financial statements.
Control Risk: Risk that a
misstatement could occur but may not be detected and corrected or
prevented by entity's internal control mechanism
Audit Risk: Inherent Risk x Control Risk x
Detection Risk
Question:
The risk of an IS auditor certifying existence of proper system and procedures
without using an inadequate test procedure is an example of :
A. inherent risk.
B. control risk.
C. detection risk.
D. audit risk.
(for answer & explanation refer QAE no. 8 )
Full version of the book can be downloaded from:
Well explained Hemang Doshi
ReplyDeleteThere is definitely need of Workplace Health & Safety Consultant to minimize the any kind of risk to life and it also increases the spirit of doing.
ReplyDelete