‘High Risk’ Audit Finding Doesn't Hold Up to FAIR Analysis

September 3, 2019

I recently worked with a retail organization to run a FAIR analysis on an audit finding and settle a difference between the IT and Internal Audit teams.  It’s a simple story but one that shows the power of quantitative risk analysis to get beyond guesswork and gut feelings, and drive decision making based on analysis results that everyone can understand.

The problem

The audit finding was around employees having inappropriate access to a couple of systems where they were allowed to push their own changes into production. The auditors wanted to issue a finding with a High Risk rating. The application controlled pricing for the organization, which is why the auditors found this issue to be particularly worrisome, and how they were justifying the High rating.

The IT team was not disputing that they had an issue with unauthorized access–they were disputing the High Risk rating.  The team had a gut feeling that it really wasn’t as big of an issue as the auditors were saying.

Enter RiskLens 

The IT team had recently implemented the RiskLens application for cyber risk analytics.  As the team thought through how to scope this analysis, they identified the following key elements from the FAIR method:

Loss Event:  How much risk is associated with employees having inappropriate access to the application, giving them the ability to push their own changes into production?

Asset:  The application

Threat:  Malicious and Non-Malicious insiders

Effect:  Integrity

Next, the IT team asked a few simple questions to the subject matter experts in the organization:

  • How often has someone with access pushed their own change into production?
  • How long would it take to notice an issue with pricing?
  • What controls are in place to prevent someone from creating, approving and implementing a pricing change into production?

How to Explain FAIR to Auditors

When Audit and InfoSec Teams Play Nice Together


The Result

As the team gathered data, they found that only in emergency situations would employees with access push their own changes into production, and that had only occurred once or twice in the last year. Even then, those changes were monitored by management.

When they investigated how long it would take to notice an issue with pricing, they found that physical inventories are completed at a minimum of once a year and that would catch any issues with pricing. Also, any issues with pricing would be noticed fairly quickly at the retail store.

As for the controls in place, they found that the organization follows all change control processes.  Each change goes through an approval workflow, that must be approved by the direct manager before a change can be pushed into production.

Case Study graphicAfter a filling in a few more data points around loss, they were able to determine there was only an annualized loss exposure of $0 – $5,000 with a most likely value of $0, by running the data through the Monte Carlo engine in the RiskLens application.  They were able to determine this would be a very low risk to the organization.

The outcome: The team was able to draft a response to the auditors acknowledging the issue at hand and were able to give the auditors sound information as to why it should not be considered a High Risk. Our clients didn’t share the response from the auditors, but the results of a rigorous, quantified analysis by FAIR and RiskLens were indisputable.


Gartner named cyber risk quantification as a key component of integrated risk management