The risk within self audit risk assessments

No one knows the risks inherent to an asset better than those who work with the asset. That is why self audit has been around for years. It allows the audit team to get to the hidden details, while distributing the discovery phase of the workload to outside of the audit team.

InfoSec.Life risk matrixWhen I first started working with self assessment audits, the sessions were typically moderated by an experienced risk assessor. The moderator would ensure likelihoods and impacts were accurately recorded and (s)he would use an auditor’s experience to help interpret and guide the answers.

Since then, Risk and Audit teams have been placed under increasing pressure to do more with less. I have noticed a trend to remove the moderator for the self-assessments, and take the self-assessor’s word the audit contents are correct. The assessments are later reviewed by the auditor to bring a form of quality control. This allows more simultaneous audits to occur at no cost to the Audit team, as an auditor does not have to attend every assessment. However, it can easily lead to quality control issues when inaccurate details are recorded:

  • Risk assessments can be subjective – while we may aim for an assessment to be as quantitative as possible, qualitative judgement calls are inevitable. Inexperienced assessors may rate the same Impact or Likelihood significantly differently, regardless of corporate guidance.
  • Impacts and Likelihoods may be skewed by self-assessors to record a more favourable risk, especially where a self-assessor has a conflict of interest in the outcome.

The deliberate skewing of results is a negative but predictable human trait that is rewarded in a risk assessment: if the risk is assessed as low enough, it will fall from view of management and audit.

Consider a project employee assessing a risk for their own project. If the assessment is unfavourable to the project, the assessor may worry for their own job security if the project were cancelled, or their expertise questioned. This may influence their answers around Impact and Likelihood. The more responsibility the self assessor has for the project, the more tempting it may be to skew unfavourable results.

Thus, self-assessed risk assessments present their own risk to the organisation: they may be filled with inaccuracies, designed to facilitate a favourable view of the asset being audited, leaving desirable mitigating factors unused.

In the past, I have addressed the need for self assessment and the desire to avoid conflict of interest by creating two tiers of risk assessment:

  1. A simple Impact self-assessment, which only records details around the Impact of a risk. This tier does the ground work.
  2. A traditional risk assessment conducted by both an auditor and the self-assessors, adding the Likelihood to the previous Impact assessment.

Unless required for compliance, the assessment process could end at the Impact self-assessment if the risk’s Impact is negligible and the auditor is satisfied the Likelihood is not “almost certain” (or whatever threshold is desirable and documented).

By removing the Likelihood assessment responsibility from the self-assessor, we remove some of their ability to hide an extreme downside risk through obfuscation. Impact is often a lot more obvious than Likelihood when it has been skewed to achieve a result. Think about the physical risk for flooding of an organisation’s only server room – if the self-assessor records the Impact from such an event as Moderate, even an auditor unfamiliar with IT would stand a chance at uncovering that ruse. But with the Likelihood assessment, a self-assessor can more easily hide the risk by skewing the Likelihood value. A once in twenty year flood vs a once in fifteen year flood? An auditor may not know the actual likelihood of either occurrence, but those five years might be all the difference between a risk needing to be managed, and a risk being accepted without further management.

As a benefit, Impact is also easier for a layperson to understand and articulate for assessment. However, putting a value on Likelihood (how often an event may occur) can be difficult, even for experienced assessors.

For organisations that largely rely on self-assessments, this two tier assessment process will require more hands-on involvement from Audit than self-assessment would – any self-assessments that present a plausible Likelihood will undoubtedly require the Auditor to join the self-assessors to complete the Likelihood components.

However, if you prefer facts and uniformity in your risk assessments, this process bridges the gap between self-driven assessments and auditor-driven assessments, while saving your auditors from having to attend every assessment in person. Just be sure a one dimensional Impact assessment will be accepted by your organisations’ compliance team.

Jason Kempnich

Jason is an Information Security Consultant and CISSP based in Queensland, Australia, with 20 years experience. He has worked in a variety of sectors from federal government through to giant multinational organisations.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *