These are challenging times for CIOs. Increasing influence of IT on the way business is conducted and various regulations such as Sarbanes Oxley and Basel II have put the focus back on effectively managing risk in IT operations.
Adding to the challenge is the environment of cost rationalization, where organizations need a comprehensive IT risk management framework to justify the risk mitigation against the costs incurred to mitigate the risk. It is imperative that managing IT risk be given the same importance in terms of time and resources as managing any business risk.
This enhanced focus on risk and associated internal controls has lead organizations to focus on business processes and the identification of their inherent risks. However, processes are inextricably linked to IT applications which either support or interface with them.
Evaluating controls to mitigatbusiness process risks cannot be complete without assessing controls within the applications that enable those business processes. Moreover, certain IT risks like unauthorized access, inappropriate segregation of duties and application security reviews are common across business processes.
This calls for a two-level assessment of IT risks: a “horizontal controls assessment” or a review of common IT processes followed by an application specific or “vertical controls assessment”. At each level, organizations should identify risks, assess risks and take corrective action to reduce the impact of risks.
Read the full paper in PDF format here