How to Make Year-End Controls Testing by IT Auditors Go as Smoothly as Peppermint Latte, Almost

November 21, 2019  Taylor Maze

A Peppermint Latte on a white saucerAs we are thrown headlong into the holiday season, several things are inevitable: peppermint lattes, parking catastrophes at your local mall, and (if you’re a control owner, director, systems architect or just an unlucky IT analyst at a 12/31 business) year-end controls testing by your friendly neighborhood auditor. 'Tis the season for evidence gathering emails, process interviews, debates about how ineffective your process is, and about a million screenshots. Not to mention the annual argument about whether that finding is *really* high risk.

While auditors and IT staff alike try to do their best to make this as smooth a process as possible, as a former auditor I can attest (get it?) to the fact that this is not always the most painless experience. Here are three ways you can use  the FAIR model to make a more pleasant auditing season.

1. Understand your business risk

Utilizing FAIR and  RiskLens Cyber Risk Quantification (CRQ), you can run an enterprise- wide analysis that will allow you to understand the areas the present the largest risk in your organization (before your auditor tells you!).

An enterprise-wide analysis allows you to assess enterprise risk by analyzing multiple risks across different areas of the organization. By looking at multiple types of scenarios (Confidentiality, Integrity, and Availability) across a variety of assets, you can pinpoint which scenarios and assets present the greatest loss exposure to the organization and can begin assessing mitigation and risk acceptance alternatives. For example, you may analyze the aggregate risk associated with the following scenarios:

The risk associated with…

  • A non-malicious privileged insider mis-addressing emails containing client PII, resulting in a confidentially loss
  • A DDOS attack resulting in an extended outage of a crown jewel application
  • Inappropriate change implemented into production as a result of improper change management procedures
  • A cyber-criminal breaching a database containing PII

Learn more:

Building a Quantitative Risk Management Program with FAIR and RiskLens

Case Study: Risk Team Finds Best Data Protection Solution Based on ROI

2. Evaluate Areas of Concern

After you have pinpointed your areas of concern (or if you already had specific areas in mind) you can conduct individual analyses to take a closer look into the specific loss event. Conducting a more narrow analysis allows you to utilize more precise data points and as such, gain greater understanding into the loss exposure associated with the event.

For example, you may conduct a quantitative risk analysis related to the risk associated with a cyber-criminal  breaching a database containing PII. Utilizing a rigorous, defensible process to gather data, you can evaluate both the frequency and magnitude and ultimately, loss exposure associated with the event. In addition to providing additional clarity into this specific event, the analysis also provides a means of comparing various risks.

3. Consider mitigation alternatives

After conducting the in-depth analysis, as an organization you must decide if you will accept the risk or implement a mitigating control. If you determine the risk is too great to accept, then you must decide which potential control provides the greatest ROI. This is a process that can be done as you are assessing scenarios independently or following an audit finding.

In order to compare the ROI of different control investments, you first conduct the original analysis. After you have completed the analysis and are comfortable with the results, you can then version the analysis. By doing so, you are creating a carbon copy of the analysis that can then be updated to reflect changes in various parts of the model as a result of the control improvement.

In the case of the data breach scenario, one of the controls you may be considering is encryption at rest. Prior to updating the analysis, you would first consider which area(s) of the model would be impacted by the control improvement. Given that encryption at rest impacts the sensitivity of the information rather than the difficulty in accessing it, it would result in a reduction in the magnitude associated with the event.

Case Study: ROI of Encryption at Rest

After making the changes, you then rerun the analysis and can compare the results from the current and future state scenarios. From the comparison you can determine the change in loss exposure as a result of implementing encryption at rest, which can then be compared to the investment cost of the control.

By utilizing this method, you can evaluate the finding resolutions recommended and determine an agreeable solution for both you and your auditors.


What Does RiskLens Reporting Tell Me?